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^Sj , Abstract We introduce the class of Interrupt Timed Automata (ITA), a subclass 

< I ■ of hybrid automata well suited to the description of timed multi-task systems with 

Cy ' interruptions in a single processor environment. 

While the reachability problem is undecidable for hybrid automata we show that it 

is decidable for ITA. More precisely we prove that the untimed language of an ITA is 

regular, by building a finite automaton as a generalized class graph. We then establish 

that the reachability problem for ITA is in NEXPTIME and in PTIME when the 

number of clocks is fixed. To prove the first result, we define a subclass ITA_ of ITA, 

l_J ' and show that (1) any ITA can be reduced to a language-equivalent automaton in 

pLn I ITA_ and (2) the reachability problem in this subclass is in NEXPTIME (without any 

f/2 ■ class graph). 

O ' In the next step, we investigate the verification of real time properties over ITA. We 

prove that model checking SCL, a fragment of a timed linear time logic, is undecidable. 
On the other hand, we give model checking procedures for two fragments of timed 
^ , branching time logic. 

C^ ' We also compare the expressive power of classical timed automata and ITA and 

prove that the corresponding families of accepted languages are incomparable. The 
result also holds for languages accepted by controlled real-time automata (CRTA), 
that extend timed automata. We finally combine ITA with CRTA, in a model which 
\li ■ encompasses both classes and show that the reachability problem is still decidable. Ad- 

ditionally we show that the languages of ITA are neither closed under complementation 
nor under intersection. 
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1 Introduction 

1.1 Context 

The model of timed automata (TA), introduced in [1], has proved very successful due 
to the decidability of several important verification problems including reachability 
and model checking. A timed automaton consists of a finite automaton equipped with 
real valued variables, called clocks, which evolve synchronously with time, during the 
sojourn in states. When a discrete transition occurs, clocks can be tested by guards, 
which compare their values with constants, and reset. The decidability results were 
obtained through the construction of a finite partition of the state space into regions, 
leading to a finite graph which is time-abstract bisimilar to the original transition 
system, thus preserving reachability. 

Consider several tasks executing on a single processor (possibly scheduled before- 
hand, although this step is beyond the scope of this paper). As a result, tasks are 
intertwined and may interrupt one another [37] • Since the behaviour of such systems 
may depend on the current execution times of the tasks, a timed model should measure 
these execution times, which involves clock suspension in case of interruptions. Unfor- 
tunately, timed automata lack this feature of clock suspension, hence more expressive 
models should be considered. 

Hybrid automata (HA) have subsequently been proposed as an extension of timed 
automata [30], with the aim to increase the expressive power of the model. In this 
model, clocks are replaced by variables which evolve according to a differential equation. 
Furthermore, guards consist of more general constraints on the variables and resets are 
extended into (possibly non deterministic) updates. This model is very expressive, but 
reachability is undecidable in HA. The simpler model obtained by allowing clocks to be 
stopped and resumed, stopwatch automata (SWA), would be sufficient to model task 
interruptions in a processor. However, reachability is also undecidable for SWA [18] . 
Many classes have been defined, between timed and hybrid automata, to obtain the 
decidability of this problem. 

Task automata [23] and suspension automata 31 model explicitly the scheduling 
of processes. Some classes restrict the use of variation of clock rate in hybrid automata 
to achieve decidability. Examples of such classes are systems with piece-wise constant 
derivatives ^6,, controlled real-time automata [21] • Guards may also be restricted, as 
in multi-rate or rectangular automata [3], some integration graphs [2B], or polygonal 
hybrid systems [7]. Restricting reset may also lead to decidability as in the hybrid au- 
tomata with strong resets [13] or initialized stopwatch automata [24]. O-minimal hybrid 
systems |28II29] provide algebraic constraints on hybrid systems to yield decidability. 
Extensions of timed automata to release some constraints were also considered, as in 
some updatable timed automata [12] . 

While untimed properties like reachability and LTL [331138] or CTL model check- 
ing [2211341119] ■ are useful for such models, real time verification consider more precise 
requirements, for instance quantitative response time properties. Therefore, timed ex- 
tensions of these logics have been defined. In the case of linear time logics, verification 
of the most natural extension MTL [37] is undecidable on TA. However, several de- 
cidable fragments such as MITL [5] and SCL [35] have subsequently been defined. In 
the case of timed variants of branching time logics, different versions of Timed CTL 
(TCTL) [^25] have been defined. Model checking procedures on TA for both versions 
of TCTL have been developed and implemented in several tools [8lll5|. 



1.2 Contributions 

In this paper, we define a subclass of hybrid automata, called Interrupt Timed Au- 
tomata (ITA), well suited to the description of multi-task systems with interruptions 
in a single processor environment. 

The ITA model. In an ITA, the finite set of control states is organized according to 
interrupt levels, ranging from 1 to n, with exactly one active clock for a given level. 
The clocks from lower levels are suspended and those from higher levels are not yet 
defined (thus have arbitrary value 0). On the transitions, guards are linear constraints 
using only clocks from the current level or the levels below and the relevant clocks can 
be updated by linear expressions, using clocks from lower levels. Finally, each state 
has a policy (lazy, urgent or delayed) that rules the sojourn time. This model is rather 
expressive since it combines variables with rate 1 or (usually called stopwatches) 
and linear expressions for guards or updates. The ITA model is formally defined in 
Section [1 

Reachability problem. As said before, the reachability problem is undecidable for au- 
tomata with stopwatches |24lll8llT6] . However, we prove that it is decidable for ITA. 

More precisely, we first show that the untimed language of an ITA is effectively 
regular (Section [3|. The corresponding procedure significantly extends the classical 
region construction of W by associating with each state a family of orderings over 
linear expressions. This construction yields a decision algorithm for reachability in 2- 
EXPTIME, and PTIME when the number of clocks is fixed. This should be compared 
to TA with 3 clocks for which reachability is PSPACE complete 1 20_ . 

We define a slight restriction of the model, namely ITA_, which forbids updates 
of clocks other than the one of the current level. We prove that for any ITA one can 
build an equivalent ITA_ w.r.t. language equivalence, whose size is at most exponential 
w.r.t. the size of the ITA and polynomial when the number of clocks is fixed. Based on 
the existence of a bound for the length of the minimal reachability path, we then show 
that reachability on ITA_ can be decided in NEXPTIME without any class graph 
construction. This yields a NEXPTIME procedure for reachability in ITA (Section |4|. 

Model checking over ITA. We then focus on the verification of real time properties for 
ITA (Section O, expressed in timed extensions of LTL and CTL. 

First we show that the model checking of timed (linear time) logic MITL [5] is 
undecidable. Actually, even the fragment SCL [35] cannot be verified on ITA, while the 
corresponding verification problem over TA is PSPACE-complete. 

We then consider two fragments of the timed (branching time) logic TCTL, intro- 
duced in [23 and also studied later from the expressiveness point of view [3]. The 
first one, TCTLjf , contains formulas involving comparisons of model clocks as atomic 
propositions. In this logic, it is possible to express properties like: (PI) a safe state is 
reached before spending 3 t.u. in handling some interruption. Decidability is obtained 
by a generalized class graph construction in 2-EXPTIME (PTIME if the number of 
clocks is fixed). Since the corresponding fragment cannot refer to global time, we con- 
sider a second fragment, TCTLp, in which we can reason on minimal or maximal delays. 
Properties like (P2) the system is error free for at least 50 t.u. or (PS) the system will 
reach a safe state within 7 t.u. can be expressed. In this case, the decidability procedure 



has a complexity in NEXPTIME for the existential fragment and 2-EXPTIME for the 
universal fragment (respectively NP and co-NP if the number of clocks is fixed) . 

Expressiveness. We also study the expressive power of the class ITA (Section (6]), in 
comparison with the original model of timed automata and the more general controlled 
real-time automata (CRTA) proposed in [21) . In CRTA, clocks and states are colored 
and a time rate is associated with every state. During the visit of a state, all clocks 
colored by the color of the state evolve with the state rate while the others do not 
evolve. We prove that the corresponding families of languages ITL and TL, as well as 
ITL and CRTL, are incomparable. Additionally we show that ITL is neither closed 
under complementation nor under intersection. 

Extensions. We finally investigate compositions of ITA and other timed models (Sec- 
tion [T)). In the first composition, a synchronous product of an ITA and a TA, we prove 
that the reachability problem becomes undecidable. We then define a more appropriate 
product of ITA and CRTA. The CRTA part describes a basic task at an implicit addi- 
tional level 0. For this extended model denoted by ITA , we show that reachability is 
still decidable with the same complexity and in PSPACE when the number of clocks 
is fixed. 



2 Interrupt Timed Automata 

2.1 Notations 

The sets of natural, rational and real numbers are denoted respectively by N, Q and 
R. A timed word over an alphabet i7 is a finite sequence w = (ai, ri) . . . (a-n, Tn) where 
Oj is in E and (Ti)i<j<„ is a non-decreasing sequence of real numbers. The length of 
w is n and the duration of w is Tn. 

For a finite set X of clocks, a linear expression over X is a term of the form 
X^iex o,x-x-\-b where h and {ax)xex a-re in Q. We denote by C{X) the set of constraints 
obtained by conjunctions of atomic propositions of the form C ixi 0, where C is a 
linear expression over X and ixi £ {>, >, =, <, <}. The subset Co(X) of C{X) contains 
constraints of the form x -I- 6 ixi 0. An update over X is a conjunction (over X) of 
assignments of the form x := Cx, where a; is a clock and Cx is a linear expression over 
X. The set of all updates over X is written U{X), with Uo{X) for the subset containing 
only assignments of the form a:: := (reset) or of the form x :— x (no update). For a 
linear expression C and an update u, the expression C[u] is obtained by "applying" 
u to C, i.e. substituting each x by Cx in C, if x :— Cx is the update for x in u. For 
instance, for the set of two clocks X — {2:1, 3:2}, expression C = X2 — 2a;i -|- 3 and 
update u defined by xi := 1 A X2 := 2a;i -I- 1, applying u to C yields the expression 
C[u] = 2x1 + 2. 

A clock valuation is a mapping w : X 1— > M, with the valuation where all clocks 
have value 0. The set of all clock valuations is R and we write v \= ip when valuation 
V satisfies the clock constraint ip £ C(X). For a valuation v, a linear expression C and 
an update u, the value v{C) is obtained by replacing each a; in C by v(x) and the 
valuation v[u] is defined by i;[u](a;) = v{Cx) for a; in X if 2; := Cx is the update for x 
in u. Observe that an update is performed simultaneously on all clocks. For instance, 
let X = {xi, X2, xa} be a set of three clocks. For valuation v = (2, 1.5, 3) and update 
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Fig. 1 Interrupt levels and clocks in an ITA. 

u defined by a;i := 1 A X2 := X2 A x^ := 3a;2 — xi, applying u to v yields tiie valuation 
v[u] = (1,1.5,2.5). 



2.2 Models of timed systems 

Tiie model of ITA is based on the principle of multi-task systems with interruptions, 
in a single processor environment. We consider a set of tasks with different priority 
levels, where a higher level task represents an interruption for a lower level task. At a 
given level, exactly one clock is active (rate 1), while the clocks for tasks of lower levels 
are suspended (rate 0), and the clocks for tasks of higher levels are not yet activated 
and thus contain value 0. The mechanism is illustrated in Fig. [l] where irrelevant clock 
values are greyed. An example of such behavior can be produced by the ITA depicted 
in Fig. [21 which describes a system that answer requests according to their priority. It 
starts by receiving a request for a main task of priority 1. The treatment of this task 
can be interrupted by tasks of priority 2 or 3, depending on how far the system is in 
the execution of the main task. Tasks of priority 2 and 3 may generate errors (modeled 
by an interruption of higher level), after which the system recovers. On this system, 
deciding if it is possible - or always the case - that the main task is executed in less 
than a certain amount of time would give an insight on the quality of service of the 
system. 

Enabling of a transition depends on the clocks valuation. The enabling conditions, 
called guards, are linear constraints on the clock values of levels lower than or equal 
to the current level: the ones that are relevant before the firing of the transition. 
Additionally, a transition can update the values of the clocks. If the transition decreases 
(resp. increases) the level, then each clock which is relevant after (resp. before) the 
transition can either be left unchanged or take a linear expression of clocks of strictly 
lower level. 

Along with its level, each state has a timing policy which indicates whether time 
may (Lazy, default), may not (Urgent) or must (Delayed) elapse in a state. Note that in 
TA, this kind of policy can be enforced by an additional clock while this is not possible 
here because there is a single clock per level. This additional feature is needed for the 
definition and further use of the model of ITA_ (see Section 2)). Note that the class 
graph construction of Section [3] is still valid without them. 
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Fig. 2 An ITA that produces - among others - the behavior represented in Fig. [Tl 



We also add a labeling of states with atomic propositions, in view of interpreting 
logic formulas on these automata. In the sequel, the level of a transition is the level 
of its source state. We also say that a transition is lazy (resp. urgent, delayed) if the 
policy of its source state is lazy (resp. urgent, delayed). 

Definition 1 An interrupt timed automaton is a tuple A = {S, AP, Q,qQ,F, pal, X, A, 
lab, A), where: 

— X' is a finite alphabet, AP is a set of atomic propositions 

— Q is a finite set of states, go is the initial state, F C. Q is the set of final states, 

— pal : Q — >■ {Lazy, Urgent, Delayed} is the timing policy of states, 

— X — {xi, . . . , Xn} consists of n interrupt clocks, 

— the mapping A : Q — > {1, . . . ,n} associates with each state its level and we call 
^A(<7) the active clock in state q. The mapping lab : Q ^ 2 labels each state 
with a subset of AP of atomic propositions, 

— Z\ C Q X C{X) X (17 U {e}) X U{X) x Q is the set of transitions. Let q '^'°'"> q in 
Z\ be a transition with k = \{q) and k' = A(g'). The guard i/9 is a conjunction of 
constraints X^,_]^ '^j^j + & ^ (involving only clocks from levels less than or equal 
to k). The update u is of the form A"_ja;j := Ci with: 

— ii k > k' , i.e. the transition decreases the level, then for 1 < i < fc', C^ is either 
of the form X]i = i ^j-'-j + b ot Ci = Xi (unchanged clock value) and for i > k' , 
Ci = 0; 

— if A; < fc' then for 1 < i < fc, C^ is of the form X^^_]^ '^j^j + b or Ci — x^, and 
for i > k, Ci ^0. 

A configuration {q, v, (3) of the associated transition system consists of a state q of the 
ITA, a clock valuation v and a boolean value j3 expressing whether time has elapsed 
since the last discrete transition. This third component is needed to define the semantics 
according to the policies. 

Definition 2 The semantics of an ITA A is defined by the (timed) transition system 
Ta = {S,SQ,^). The set 5" of configurations is i{q,v,P) | g G Q, w € M"^, P € {T, ±}|, 



with initial configuration sq — (go,0,_L). The relation 
steps: 



on S consists of two types of 



Time steps: Only the active clock in a state can evolve, all other clocks are suspended. 
For a state q with active clock Xx(„) , a time step of duration d > is defined by 

{q,v,l3) — > {q,v',T) with v'i^xtq)) = "vi^xtq)) + d and v' (x) — v{x) for any other 
clock X. A time step of duration leaves the system 7yi in the same configuration. 
When pol(q) = Urgent, only time steps of duration are allowed from q. 
Discrete steps: A discrete step {q,v,j3) — > {q',v',J-) can occur if there exists a transi- 
tion q — > q' in A such that v \= (p and v' = v[u]. When pol{q) = Delayed and 
/? = ±, discrete steps are forbidden. 

The labeling function lab is naturally extended to configurations by lab{q,v, P) = 
lab{q). 

An ITA Ai is depicted in Fig. |3(a)[ with two interrupt levels (and two interrupt 
clocks). A geometric view is given in figure 3(b) with a possible trajectory: first the 
value of xi increases from in state go (horizontal line) and, after transition a occurs, 
its value is frozen in state gi while X2 increases (vertical line) until reaching the line 



X2 = —■^xi + ^. The light grey zone defined by (O < a:;i < 1, < 2:2 < ~^xi + ^1 
corresponds to the set of valuations reachable in state gi and from which state g2 is 
reachable. 




X2 




(a) An ITA .Ai with two interrupt levels 
Fig. 3 An example of ITA and a possible execution. 
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(b) A possible trajectory in Ai 



We now briefly recall the classical model of Timed Automata (TA) ^ as well as 
the model of Controlled Real-Time Automata (CRTA) [21] . Note that in both models, 
timing policies can be enforced by clock constraints. 



Definition 3 A timed automaton is a tuple A — {S,Q,qo,F,X, A), where S, Q, 
go I F are defined as in an ITA, X is a set of clocks and the set of transitions is 
zi C QxCo(X) X (rule}) xUoiX) x Q, with guards inCo(A") and updates inUa{X). 

The semantics of a timed automaton is also defined as a timed transition system, 
with the set Q x R of configurations (no additional boolean value). Discrete steps 
are similar to those of ITA but in time steps, all clocks evolve with same rate 1: 
(g, v) — > (g, v') iff for each clock x in X, v'{x) = v{x) + d. 



Controlled Real-Time Automata extend TA with the following features: the clocks 
and the states are partitioned according to colors belonging to a set O and with every 
state is associated a rational velocity. When time elapses in a state, the set of active 
clocks (i.e. with the color of the state) evolve with rate equal to the velocity of the 
state while other clocks remain unchanged. For sake of clarity, we now propose a slightly 
simplified version of CRTA. 

Definition 4 A CRTA A = {S, Q, qo, F, X, up, low, vel, X, A) on a finite set il of colors 
is defined by: 

— S, the alphabet of actions, 

— Q, the set of states, with qo € Q the initial state and F (1 Q the set of final states, 

— X the set of clocks, 

— mappings up and low associate with each clock respectively an upper and a lower 
bound, 

— vel : Q H->- Q the velocity mapping, 

— A : X l+l Q 1-^ J7 the coloring mapping and 

— Z\ C Q X Cq{X) X (X" U {e}) X Uo(X) x Q the set of transitions, with guards in 
Co{X) and updates in Uq{X). 

Moreover, the lower and upper bound mappings satisfy low{x) < < up{x) for each 
clock X £ X, and low{x) < b < up{x) for each constant b such that a; ixi 6 is a constraint 
in A. 

The original semantics of CRTA is rather involved in order to obtain decidability of 
the reachability problem. It ensures that entering a state q in which clock x is active, 
the following conditions on the clock bounds hold : if vel{q) > then x > low{x) and if 
vel{q) < then x < up{x). Instead (and equivalently) we add a syntactical restriction 
which ensures this behavior. For instance, if a transition with guard ip and reset u 
enters state q with vel{q) < and if x is the only clock such that \{x) = X{q), then we 
replace this transition by two other transitions: the first one has guard if A x > up{x) 
and adds a; := to the reset condition u, the other has guard ip /\x < up{x) and reset 
u. In the general case where k clocks have color A(g), this leads to 2 transitions. With 
this syntactical condition, again the only difference from ITA concerns a time step of 
duration d, defined by {q,v) — )■ {q,v'), with v'{x) — v{x) + vel{q)d if \{x) = X{q) and 
v'{x) — v{x) otherwise. 

A run of an automaton A in ITA, TA or CRTA is a finite or infinite path in the 
associated timed transition system Ta, where (possibly null) time steps and discrete 
steps alternate. An accepting run is a finite run starting in sq and ending in a con- 
figuration associated with a state of F. For such a run with label diaid2 . . .dncin, 
we say that the word (ai, di)(a2, di + ^2) • • • (fln, di + ■ ■ ■ + dn) (where e actions are 
removed) is accepted by A. The set £{A) contains the timed words accepted by A 
and Untimed{C{A)), the untimed language of A, contains the projections onto E* of 
the timed words in jC.{A). Interrupt Timed Languages or ITL (resp. Timed Languages 
or TL and Controlled Real-Time Languages or CRTL) denote the family of timed 
languages accepted by an ITA (resp. a TA and a CRTA). 

For instance, the language Li accepted by the ITA Ai in Fig. |3(a)"| is 

Li = C{Ai) = {{a,r){b, 1 + I) I < r < 1}. 



Languages of infinite timed words accepted by Biichi or Muller conditions could be 
studied but this analysis should address technical issues such as Zeno runs and infinite 
sequences of e-transitions. 

In the context of model-checking, we also consider maximal runs which are either 
infinite or such that no discrete step is possible from the last configuration. The set of 
maximal runs starting from configuration s is denoted by Exec{s). Since maximal runs 
can be finite or infinite, we do not exclude Zeno behaviors. We use the notion of (totally 
ordered) positions (which allow to consider several discrete actions simultaneously) 
along a maximal run 25 : for a run p, we denote by <p the strict order over positions. 
For position tt along p, the corresponding configuration is denoted by s,r, the prefix of 
p up to TT is written p-^ and its duration, Dur I p-^ J , is the sum of all delays along 

the finite run p-^ ■ Similarly, the suffix of p starting from it is denoted by p-^ ■ For 
two positions -k <p tt', the subrun of p between these positions is written pi^^ ^n, its 

duration is Dur I p-^ J — Dur I p-'" J . The length of p, denoted by |p|, is the number 
of discrete transitions occurring in p. 

3 Regularity of untimed ITL 

We prove in this section that the untimed language of an ITA is regular. Similarly to 
TA (and to CRTA), the proof is based on the construction of a (finite) class graph 
which is time abstract bisimilar to the transition system 734- This result also holds for 
infinite words with standard Biichi conditions. As a consequence, we obtain decidability 
of the reachability problem, as well as decidability for plain CTL* model-checking. 

The construction of classes is much more involved than in the case of TA. More 
precisely, it depends on the expressions occurring in the guards and updates of the 
automaton (while in TA it depends only on the maximal constant occurring in the 
guards). We associate with each state q a set of expressions Exp{q) with the following 
meaning. The values of clocks giving the same ordering of these expressions correspond 
to a class. In order to define Exp{q), we first build a family of sets {i?fe}l<fe<n- Then 
Exp{q) = [Jfc<A('n) -^fc (recall that X{q) is the index of the active clock in state q). 
Finally in Theorem[T]we show how to build the class graph which proves the regularity 
of the untimed language. This immediately yields a reachability procedure given in 
Proposition [l] 



3.1 Construction of {-E^.} 



k<n 



We first introduce an operation, called normalization, on expressions relative to some 
level. As explained in the construction below, this operation will be used to order 
expression values at a given level. 

Definition 5 (Normalization) Let C = X^j<j, ajSj + & be an expression over Xj, — 
{xi I i < k}, the k -normalization of C, norm(C, fc), is defined by: 



if ctfe / then norm(C, k) = Xk + i'i-/ak)(J2i<k °-t^t + ^)' 
else norm(C, k) = C. 



10 

Since guards are linear expressions with rational constants, we can assume that 
in a guard C cxi occurring in a transition outgoing from a state q with level fc, the 
expression C is either xy. + X^j^^. diXi + h (by fc-normalizing the expression and if 
necessary changing the comparison operator) or X]i<fe "j^i + ''• ^^ ^^ thus written as 
aa^fc + Y^i^k °-i^^ + ''' "^i^h " ^ {0, 1}. 

The construction of {-Efc}fe<n proceeds top down from level n to level 1 after 
initializing E^. = {x^jO} for all k. As we shall see below, when handling the level 
k, we add new terms to Ei for 1 < i < k. These expressions are the ones needed to 
compute a (pre)order on the expressions in E^.- 

— At level k, first for every expression cva;fe + X;j<fc a,iXi + b (with a £ {0, 1}) occurring 
in a guard of an edge leaving a state of level k, we add — X]i<fe "^j-^j — 6 to E^- 

— Then we iterate the following procedure until no new term is added to any E^ for 
1 < i < it. 

1. Let q — '-^-^ q' with \{q) > k and A(g') > k. Let C G E^, then we add C[u] to 
Ek (recall that C[u] is the expression obtained by applying update m to C). 

2. Let q — > q' with X{q) < k and A(g') > k. Let C and C' be two different 
expressions in E^. We compute C" = norm(C['u] — C'[u],\{q)), choosing an 
arbitrary order between C and C' in order to avoid redundancy. Let us write 
C" aso:x^g)+Y,.^^^^^ aiXi+b with a G {0,1}. Then we add - 5^i<A(g) a^Xi-b 



We illustrate this construction of expressions for the automaton Ai of Fig. 3(a) 
Initially, we have Ei — {0, xi} and E2 ~ {0, 3:2}. When treating level 2, first, expression 
— 2a;i + 1 is added to E2 as normalization of the guard xi + 2a;2 = 2. Then transition 
labeled by a updates X2 (by reseting it to 0). As a result, we have to add to Ei all 
differences of expressions of E2 updated by X2 := 0. This only produces expression 
~^xi + 1 — which is normalized into xi — 2; thus expression 2 is added to Ei. When 
treating level 1, expression 1 from the guard of transition a is added to _Bi. As a result, 
we obtain Ei — {xi, 0, 1, 2} and E2 = {a^2) 0, —^xi + 1}. 

Lemma 1 The construction procedure of {-Bfc}fe<n terminates and the size of every 
E^ is bounded by (E + 2) where E is the size of the edges of the ITA. 

Proof Given some k, we prove the termination of the stage relative to k. Observe that 
the second step only adds new expressions to E^./ for k' < k. Thus the two steps can be 
ordered. Let us prove the termination of the first step of the saturation procedure. We 
define E^ as the set E^ at the beginning of this stage and i?^ as this set after insertion 
of the i item in it. With each added item C[u] can be associated its father C. Thus 
we can view E^ as an increasing forest with finite degree (due to the finiteness of the 
edges) and finitely many roots. Assume that this step does not terminate. Then we 
have an infinite forest and by Konig lemma, it has an infinite branch Cq, Ci, . . . where 
Ci+i = Ci[ui] for some update Ui such that Ci+i 7^ Ci. Observe that the number of 
updates that change the variable x^. is either or 1 since once x^. disappears it cannot 
appear again. We split the branch into two parts before and after this update or we 
still consider the whole branch if there is no such update. In these (sub) branches, we 
conclude with the same reasoning that there is at most one update that change the 
variable x^-i- Iterating this process, we conclude that the number of updates is at 
most 2—1 and the length of the branch is at most 2 '. 
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For the sake of readability, we set B = E + 2. The final size of E^. is thus at most 
E^ X B since the width of the forest is bounded by B. 

In the second step, we add at most B x (|-Efc| x (|-Efc| — l))/2 to E^ for every i < k. 
This concludes the proof of termination. 



We now prove by a painful backward induction that as soon as n > 2, |_Efe| < 
B ^ . The doubly exponential size of En (proved above) is propagated down- 

wards by the saturation procedure. We define p^, — \Ei^\. 



Basis case k = n. We have Pn < Pn x B where p„ is the number of guards of the 
outgoing edges from states c 
which is the claimed bound. 



outgoing edges from states of level n. Thus pn < B x B — B = B 





Pk 


< B + B 


X (B^"'"- 


-'=) + i+2 


H 


+ B 




Pk 


< B X (n 


-fc + 1) 


xB^ 


-fc)+i 


'+2 




Pk 


< BxB'' 


' X B^"'" 


-fe) + l_l_2 


(h, 


are wi 




Pk 


< B^ 


^' + i+«+3 









Inductive case. Assume that the bound holds for k < j < n. Due to all executions of 
the second step of the procedure at strictly higher levels, pi expressions were added to 
E^., with: 

pI<B + Bx ((pfe+i X (pfe+i - l))/2 + ■ ■ ■ + (p„ X (p„ - l))/2) 



B > 2) 



Taking into account the first step of the procedure for level k, we have: 

Pk < B 

Let us consider the term S = 2"("-'=+l) + 1 - (2"("-'=)+i +2*^+71 + 3). Since k < n, 

S > (2"-l - i)2"("-'=)+i - (2'= + n + 2) 
S > (2""^ - i)2"("-'=)+i - (2""l + 2") 
5 > (2""^ - i)2"("-'=)+i - 2"+^ > 



Thus Pk < B^ +2 +«+3 < 52 * + '+1 ^ (^ ^ 2)2 ' + 1 which is the 

claimed bound. D 



3.2 Construction of the class automaton 

In order to analyze the size of the class automaton defined below, we recall and adapt 
a classical result about partitions of ri-dimensional Euclidian spaces. 

Definition 6 Let {-fffe}i<fe<m be a family of hyperplanes of R". A region defined by 
this family is a connected component of R" \ Ui<fc<m ^k- An extended region defined 
by this family is a connected component of Hfee/ ^k \ Uk^i ^k where / C {1, . . . , m}. 
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Proposition 1 ((39]) The number of regions defined by the family {-fffc}i<fc<m is at 
™os* ELo (T) • 

We derive from this proposition: 
Corollary 1 The number of extended regions defined by the family {^fc}i<fc<m '■^ o,^ 

Proof Observe tliat an extended region is a region belonging to an intersection of at 
most n hyperplanes (by removing redundant hyperplanes) . Thus counting the number 
of such intersections and applying the previous proposition yields the following formula: 

n-p / \ " p ""P n-p n -, "^P -, 

P I ^-^ \ i / '^^ p! '^^ J! '^-^ p! '^-^ V. 

p=0 \ / i=0 \ / p=0 i=0 p=0 i=0 

n 

Theorem 1 T/ie untimed language of an ITA is regular. 

Proof First, we assume that the policy of every state is lazy. At the end of the proof, 
we explain how to adapt the construction for states with urgent or delayed policies. 

Class definition. Let A be an ITA with E transitions and n clocks, the decision algo- 
rithm is based on the construction of a (finite) class graph which is time abstract bisim- 
ilar to the transition system 734- A class is a syntactical representation of a subset of 
reachable configurations. More precisely, it is defined as a pair R — {q, {^k}i<k<\(q)) 
where q is a state and :<k is a total preorder over E^, for 1 < fe < \{q). 
The class R describes the set of configurations: 

m = {{q,v,l3) I p G {T,±}, Vfc < X{q) \/{g,h) e Ek, g[v] < h[v] iS g ^k h} 

The initial state of this graph is defined by the class Rq with J-Rq] containing 
(go,0,_L) which can be straightforwardly determined. For example, for ITA Ai of 
Fig. 3(a)[ the initial class is Rq = {qo, Zq) with Zq : xi = < 1 < 2. The final states 



are all R = {q, {^k}i<k<\(q)) with q e F. 

Observe that fixing a state, the set of configurations Ji?] of a non empty class R is 
exactly an extended region associated with the hyperplanes defined by the comparison 

of two expressions of some E^- Since {E + 2) is an upper bound of the number 

n'^ + l 

of expressions of any level, m — {E + 2) ^ is an upper bound of the number of 

hyperplanes. So using Corollary [T] the number of semantically different classes for a 
given state is bounded by: 

2 n 2/ip , r,N2" +^ri+2n 

e m = e (E + 2) 

Since one can test semantical equality between classes in polynomial time w.r.t. their 
size '36' , we implicitely consider in the sequel of the proof classes modulo the semantical 
equivalence. 

As usual, there are two kinds of transitions in the graph, corresponding to discrete 
steps and time steps. 
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Discrete step. Let R= {q, {^k}i<k<\(q)) ^-^d R' ~ il' , {^'k}l<k<\(q')) be two classes. 
There is a transition R ^ R' for a transition e : q — > q' if there is some {q, v) G J-R] 
and {q',v') € [/?'] such that {q,v) — >■ {q',v'). In this case, for all ((/,«) G |[-R| there is 
a (q',v') G [i?'] such that (q,v) — > {q',v'). This can be decided as follows. 

Firability condition. Write (fi — Aie j ^j ^j 0- Since we assumed normalized guards, 
for every j, Cj = axj. + X]i<fc "^i^i + ^ (with a G {0, 1} and k = A(g)). By construction 
C'j — ^X]i<Afo) '^^'''^ ^ ^ £ ^fc- For each j G J, we define a condition depending on 
txlj. For instance, if Cj < 0, we require that aa;j, ^j. C^-, or if Cj > we require that 

axk J^k C'j l\C'j < axk- 

Successor definition. R' is defined as follows. Let k < A(g') and g' , h' G E^.. 

1. Either k < A(g), by construction, g'[u], h'[u] G E^ then g' ^Jc ^' iff p'M — fc ^'[m]- 

2. Or fc > A(g), let D = (/'[m] — /i'[u] = X^KAfo) ''«^« "'' '^' ^^^ ^ ~ ii°^™(-C', A(g)), 
and write C — ax-^(„\ + X]i<Afo) '^«^« ^" ^ (with a G {0, 1}). By construction 
C = - Ei<A(<j) "i^i ^ ^ £ ^Hq) ■ 

When c^(q) > then g' ^^ /i' iff axx(q) ^x(q) C ■ 
When cx(q) < then g' ^^ ft' iff C" ^;^(,) ax^^y 

By definition of |[ ■ ] , 

— For any {q,v) G Ji?], if there exists (g,w) — > [q' ,v') then the firability condition is 
fulfilled and (g',w') belongs to {R'j. 

— If the firability condition is fulfilled then for each (g, v) G |i?] there exists {q' ,v') G 
(R'j such that (g,«) A (g',w')- 

Time step. Let R — {q,{^k}i<k<\(q))- There is a transition R > Post{R) for 

Post{R) — (g, {r2j.}i<fe<A(q))) the time successor of R, which is defined as follows. 

For every i < A(g) :<i = ^i- Let ~ be the equivalence relation r^Afq) ^ — ac -i induced 
by the preorder. On equivalence classes, this (total) preorder becomes a (total) order. 
Let V be the equivalence class containing Xxin)- 

1. Either V = ja^Afn)} ^.nd it is the greatest equivalence class. Then :<'x(„) = ^\(q) 
{thus Post{R) = R). 

2. Either V = (a^Afq)} ^-^d it is not the greatest equivalence class. Let V' be the next 
equivalence class. Then r2w„) is obtained by merging V and V' , and preserving 
—\(q) elsewhere. 

3. Either V is not a singleton. Then we split V into V \ {^xiq)} and ja^Afq)} ^-^id 
"extend" :<;,(,) by V\ {x^(,)} r<'A(g) {xx(q)}- 

By definition of |[ • ] , for each (g, v) G Ji?] , there exists d > such that (g, v + d) £ 
lPost{R)l and for each d with < d' < d, then {q,v + d') G {R} U lPost{R)\. 

We now explain how the policy is handled. Given a state g such that pol{q) — U, for 
every class R — (g, {^k}i<k<\(q)) *e delete the time steps outgoing from R. The case 
of a state q such that pol{q) = D, is a little bit more involved. First we partition classes 
between time open classes, where for every every configuration of the class there exists 
a small amount of time elapse that let the new configuration in the same class, and 
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time closed classes. The partition is performed w.r.t. the equivalence class V of a^A(q) 
for the relation ~ (see above in the proof). The class R is time open iff V = {a^Afg)}- 
Then we successively replace every time closed class R by two copies R~ and 7?"*", 
which capture wether time has elapsed since the last last discrete step. Thus, a time 
edge entering R is redirected towards R'^ while a discrete edge entering R is redirected 
towards R~ . A time step R > R is replaced by two transitions R~ > R and 

I Slice I 6 / _|_ C / 

R7 > R , while a discrete step i? — >■ _R is replaced by the transition R -^ R . 

Time open classes allow time elapsing, hence no splitting is required for these classes. 
Since there is at most one time edge outgoing from a class, the number of edges of 
the new graph is at most twice the number of edges in the original graph. D 

Proposition 2 The reachability problem for Interrupt Timed Automata is decidahle 
and belongs to 2-EXPTIME and PTIME when the number of clocks is fixed. 

Proof The reachability problem is solved by building the class graph and applying 
standard reachability algorithm. Since the number of semantically different classes is 
at most doubly exponential in the size of the model and the semantical equivalence 
can be checked in polynomial time w.r.t. the size of the class (also doubly exponential) 
this leads to a 2-EXPTIME complexity. When the number of clocks is fixed the size 
of the graph is at most polynomial w.r.t. the size of the problem leading to a PTIME 
procedure. No complexity gain can be obtained by a non deterministic search without 
building the graph since the size of the graph is only polynomial w.r.t. the size of a 
class. D 

Remarks. This result should be contrasted with the similar one for TA. The reacha- 
bility problem for TA is PSPACE-complete and thus less costly to solve than for ITA. 
However, fixing the number of clocks does not reduce the complexity for TA (when 
this number is greater than or equal to 3) while this problem belongs now to PTIME 
for ITA. Summarizing, the main source of complexity for ITA is the number of clocks, 
while in TA it is the binary encoding of the constants [2^ . 

Since the construction of the graph depends on a set of expressions, there is no 
notion of granularity as in Timed Automata. When the only guards are comparisons to 
constants and the only updates resets of clocks (as in Timed Automata), the abstraction 
obtained is coarser than the region abstraction of [1]: it consists only in products of 
intervals. 



3.3 Example 



We illustrate this construction of a class automaton for the automaton ^i of Fig. 3(a) 
The resulting class automaton is depicted on Fig. [l] where dashed lines indicate time 
steps. 

Recall that we obtained Ei — {a;i, 0,1,2} and E2 ~ {a;2,0, — ^a;i + l}. In state 
qo, the only relevant clock is xi and the initial class is Rq = (go, Zq) with Zq : xi = 
< 1 < 2. Its time successor is Rq = (qq, Zq) with Zq : < xi < 1 < 2. Transition 
a leading to 51 can be taken from both classes, but not from the next time successors 
R^ = (qo,0 <xi = l<2),Rl = (go,0 <l<xi<2),R^ = (go,0 < 1< xi = 2), or 
R^0 = {qo,0<l<2<xi). 
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Fig. 4 The class automaton for A\ 
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Transition a switches from _Ro to Ri — {qi,ZQ,X2 = < 1), because xi — 0, and 
from 7?Q to Ri = {qi,ZQ,X2 = < —2^1 '^ ^)- Transition b is fired from those time 
successors for which X2 ~ —^^1 + 1- 



On the geometric view of figure 3(b) the displayed trajectory corresponds to the 



following path in the class automaton; 



Ro-^RI^ RI^ (^qi,Z^,0<X2 < "2^1 + ^ {<ll,Zo,0<X2^ "2^^^^ 
-> (92, -^0,0 < X2 ^ ~2^^ ~^ ^) 



4 A simpler model 

4.1 Definition of ITA- 

We introduce a restricted version of ITA, called ITA_, which is interesting both from 
a theoretical and a practical point of view. When modeling interruptions in real-time 
systems, the clock associated with some level measures the time spent in this level or 
more generally the time spent by some tasks at this level. Thus when going to a higher 
level, this clock is not updated until returning to this level. The ITA_ model takes this 
feature into account. Moreover, it turns out that the reachability problem for ITA_ 
can be solved more efficiently. This also provides a better complexity upper-bound for 
the reachability problem on ITA (in the general case). 

Definition 7 The subclass ITA_ of ITA is defined by the following restriction on 
updates. For a transition q — '——^ q of an automaton A in ITA_ (with k = \{q) and 
k' = A(g')), the update u is of the form A"_2^i •= ^i with: 

— if fc > fc', then for 1 < i < k' , Ci := x^ and for k' + 1 < i < n, Ci — 0, i.e. the only 
updates are the resets of now irrelevant clocks; 
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— ii k < k' then Ck is of the form X^,_]^ '^j^j +b or C^ = a^fc- For k < i < k' , Ci — 
and Ci = Xi otherwise. 

Thus, complex updates appear only in transitions increasing the level, and only for 
the active clock of the transition level. 

The proof of the following result is based on Propositions [3] and [S] proved in the 
next two sections. 

Theorem 2 The reachability problem for IT A belongs to NEXPTIME. 

Proof Given an ITA A with transitions of size E and constants coded over b bits, we 
build the ITA_ A' of Proposition O Then we apply on A' the reachability procedure 
of Proposition [S] In this procedure, we consider paths of length bounded by {E' -\-n) , 
where E' is the number of transitions of A' ■ Since E' < 2 (as shown in the proof 

of Proposition [3| , the length of the paths considered is bounded by 

[E + n) < I 2 + n I < (n + 2) 

which establishes the claimed upper bounds. D 



4.2 From ITA to ITA_ 

In this subsection we prove that ITA and ITA_ are equivalent w.r.t. the associated 
(timed) languages. 

Proposition 3 Given an ITA A, we build an automaton A! in ITA- accepting the 
same timed language and with the same clocks such that its number of edges (resp. 
states) is exponential w.r.t. the number of edges (resp. states) in A and polynomial 
when the number of clocks is fixed. 

Proof Starting from ITA A = {S,AP,Q,qQ,F,pol,X,X, lab, A), the construction of 
automaton A' relies on memorizing at a given level i, for every clock Xj at a lower 
level, an expression depending on xi,. . . ,Xj_i, corresponding to the delayed update 
of Xj. This expression is used later to replace the value of Xj in guards and to restore 
its correct value by update after decreasing to level j. 

To this aim we associate with every pair of levels i > j, a, set of expressions F^j 
inductively defined by: 

— Wi > j Fij — -Fi-1 J- U {e[{xj. ■<— ej,}j,<j] | e is the expression of an update of Xj by 
an edge of level i and Vfc, e^. G Ji,fe} 

We write Fj = F^j = [Ji=7" ^i-j- '^^^^ ^'^^ ^j thus contains all expressions of updates 
of Xj that appear at higher levels. 

Although the number of expressions is syntactically doubly exponential w.r.t. the 
number of clocks, one can show that the number of distinct expressions is only singly 
exponential. 

First we assume that ITA A has only integral constants, the case of rational con- 
stants is handled at the end of the proof It can be shown that every expression e^. of 
Fk can be written 

io,...,ipf=sub(fc) 



17 

with the convention that xo is the constant 1, and where sub(fc) is the set of all (ordered) 
subsequences of 0, . . . , fc — 1 and aj^i is the coefficient of Xi in some update of Xj. 

For the family a of all integers ctj^i, assume that these constants are coded over 
ba bits each (including the sign of the coefficient). The expression x^^ can also be 
coded into an integer of log2(n) bits (with a special symbol to indicate that it is the 
expression of a clock rather than a constant). Let b — max(6a, log2(n) + f) be the 
(maximal) number of bits used to code a coefficient. Then each term of the sum is a 
product of at most k such coefficients, therefore can be coded with kb bits. Summing 
at most 2 such products yields an integer that can be coded over kb + k bits. Thus 
there can be at most 2 ' ' different expressions in E^.. 

Automaton A' is then defined as follows. 

— The set of states is 

Q' = {(g^,ei,.. ■,ei_i) \ q e Q, A(g) = i and Vj, Cj e Fj} 
U{(<?",ei,. ..,ei)\qeQ, \{q) = i and Vj, e^ £ Fj}, 

with pol{q , ei,...,ei_i)= pol(q) and pol{q~ ,ei, . . . , e^) — U. 
Note that the sequence is empty if i = f . Moreover: 

A(Q+,ei,... ,ei_i) = \(q~ ,ei,... ,ei) = \{q). 

— The initial state of A' is {qQ ,xi, . . . , a;j_i) if A(go) — i. The final states of A' are 
the states with first component q for q £ F. 

— Let q — '—^ q' be a transition in A such that A(g) — i, A(g') = i' and u is defined 
by A}=ia^j —Cj. 

• If i < i' , then for every (g , ei, . . . , e^-i) there is a transition 

(g^,ei,...,ei_i) > (g ^, ei, . . . , Cj/_i) 

in A' with ip' — ip{{xj i— ej}j^i), update u is defined by x^ :— Ci[{xj ^~ 
ej}j<i]; for all j < i, e' = C7j[{xj. <— ej.}j.<j] and for all j such that i < j < i' , 

Cj = Xj . 

• If i > i' then for every (g , ei, . . . , ei__i) there is a transition 

/ + N v',a,u' ,1-1 I ■. 

(g ,ei,...,ei_i) > [q ,ei,---,e.v) 

in Al with If) = f:(\xj <~ Cj}j<i)i update v! contains only the trivial updates 
Xj :— Xj for all clocks and for all j < i' , e' — Cj[{x^. -h- ej.}j.<i]. 

• For every (g^, ei, . . . , e^) there is in A' a transition 

(g ,ei,...,ei) ■ > (q , ei, . . . , e^.i). 

In words, given a transition, the guard is modified according to these expressions. 
The modification of the update consists only in applying the update at the current level 
and taking into account the other updates in the expressions labeling the destination 
state. When the transition increases the level, the expression associated with a new 
"frozen" clock {xj for i < j < i') is the clock itself. The urgent states (g^,— ) are 
introduced for handling the case of a transition that decreases the level. In this case, 
one reaches such a state that memorizes also the expression of the clock at the current 
level. Note that the memorized expressions can correspond to an update proceeded 
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at any (higher) level. From this state a single transition must be (immediately) taken 
whose effect is to perform the update corresponding to the memorized expression. 

It is routine to check that the languages of the two automata are identical. Each 
transition in A is replaced by several transitions in A' , which number is bounded by the 
number of expressions that can be attached to the source of the original transition. In 
addition, transitions decreasing level are further "split" through states (g^,— ). Thus 
the number E' of transitions in A' is bounded by 

E' <2-E- \Fn\" 

<2- E- /'2"(''(^+i)+i) " 

^ 2n^ {h{E+l) + l) + l+\og2{E) 

< 2"'((''+i)(^+i)+i) 
E' < 24''-E-"' 

(provided E > 2). This yields the exponential complexity for the number of transitions. 
The case of the number of states is similar. 

In the case when there are rational constants, assume each constant is coded with 
a pair (r, d) of numerator and denominator. Assume each r and d can be coded over b 
bits. We compute the Icm S of all denominators: since there are at most E constants 
{E, the size of A contains the number of guards and updates), 5 can be coded over 
Eb bits. We consider ITA As which is A where all constants are multiplied by 5. Thus 
a constant of As is an integer that can be coded over b' = Eb + b = b{E + 1) bits. 
The above bound on the number of expressions applies on As- Note that after the 
construction of A's, A' can be obtained by dividing each constant in A's by 5. D 



Example. We illustrate this construction on ITA A2 of Fig. [5] The sets of expressions 
are computed as on Table [T] and the resulting ITA_ A2 is depicted on Fig. [S] 



X2 := XI + 1 ^ X 

(^K^i^ 



Fig. 5 ITA A2 containing updates of frozen clocks 





The translation above of an ITA into an equivalent ITA_ induces an exponential 
blowup. The proposition below shows that the bound is reached. 

Proposition 4 There exist a family {An}n&i of ITA with two states, n clocks and 
constants coded over b hits, where b is polynomial in n, such that the equivalent ITA^ 
built by the procedure above has a number of states greater than or equal to 2" . 
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Fig. 6 ITA_ A2 equivalent to A2 
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Table 1 Sets of expressions Fi , for A2 ■ 



Proof For n G N, let An be the ITA with n clocks and two states qi^n (initial) and q 
(final) both of level n (and lazy policy) built as follows. There is a transition from ginit 
to q with update Afe=i ^k •= 1 that sets all clocks to 1. For 1 < k < n there are two 
loops on q with updates Xf^ :— a^fc-l s^nd xj^ :— akXk_i respectively, where a^ is the 
feth prime number (and with the convention that xo is the constant 1). 

When building the sets of expressions, no expressions are added until level n, since 
all updates occur at this level. At level k, F^ 1^ contains (at least) 2 expressions: all 
possible products of the first k prime numbers, namely 



Fn.k D 



iei 



JC{l,...,fe} 



Indeed, at level 1, F^^i 
Yiiei "i where / C {1, . 



{a;i,l,2}. Now assume that F„j^_i contains all products 
, fc - 1}. By update x^. := x^-i, F„ j, D F^^k-l- By update 



Xk 



OkXk-i, Fn^k contains all products a^ Yliei ^i ~ 11 






/C{1, 



^ieiw{k} 



a,. Therefore 



iie/u{fe}"« 



/C{l,...,fc-1} 
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^".fc3 <n°« /^{i,...,fc}i 



The expressions thus built are distinct, since they are products of distinct prime num- 
bers. Remark that the set of expression for level k is in bijection with a sequence of 
updates xi :—..., X2 '■—■■■,-■■, xj^ := ... , the choice of the update depending on the 
choice of the set /. 

Therefore all expressions of Fn,n are reached (in association with state q) and the 
set of states in An is at least of size 2". In addition, it should be noted that the nth 
prime number is in 0(nlog2(n)), therefore can be coded over 0(log2(n) ) bits. So the 
size of the constants appearing in the updates (and the size of the representation of 
An) is polynomial in n while the representation of A'n is exponential in n. 



4.3 Reachability on ITA_ 

In this section we use counting arguments to obtain an upper bound for the reachability 
problem on ITA_. 

The following counting lemma does not depend on the effect of the updates but 
only on the timing constraints induced by the policies. 

Lemma 2 (Counting Lemma) Let A be an ITA- with E transitions and n clocks, 
then in a sequence (ei, . . . , e;) of transitions of A where I > (E + n) , there exist i < j 
with ei = ej such that the level of any transition ej, with i < k < j is qreater than or 
equal to the level of ei, say p, and: 

— either e, updates Xp, 

— either no e^ with i < k < j updates Xp and ei is delayed or lazy. 

— or no efc with i < k < j updates Xp and no time elapses for clock Xp between Ci and 
ej. 

Proof Assume that the conclusions of the lemma are not satisfied, we claim that I < 
(£; + 2n)3". 

First we prove that the number of transitions of level m that occur between two 
occurrences of transitions of strictly lower level is less than or equal to {E + 2) . Indeed 
there can be no more than E occurrences of transitions that update Xm- Then between 
two such transitions (or before the first or after the last) there can be no more than E 
lazy or delayed transitions of level m that do not update Xm. Finally between any kind 
of previous transitions (or before the first or after the last), there can be no more than 
E urgent transitions that do not update Xm, since they prevent time from elapsing at 
level m. 

Summing up, there can be no more than S + £;(S+1) + £■(£(£+ 1) + 1) < (E + l)^ 
transitions of level m that occur between two occurrence of transitions of strictly lower 
level. 

Now we prove by induction that the number of transitions at level less than or 
equal to m is at most {E + m) . This is true for m = 1 by the previous proof 
Assume the formula valid for m, then grouping the transitions of level m + 1 between 
the occurrences of transition of lower level (or before the first or after the last), we 
obtain that the number of transitions at levels less than or equal to rra + 1 is at most: 

{E + m)^™ + {{E + m)^" + 1)(£ + 1)^ < {E + m)^"+^ + 2{E + m)^" 

< (£ + m+l)3('"+i) D 
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Proposition 5 The reachability problem for ITA- belongs to NEXPTIME. More pre- 
cisely, reachability can he checked over paths with length less than or equal to (E + n) , 
where E is the number of transitions and n is the number of clocks. 

Proof Let A = {E,Q,qo, F,pol,X, X, A) be an ITA_ with n clocks. Let E = |Zi| be 
the number of transitions of A. Assume that there is a run of minimal length p from 
(go, vq) to some configuration {qf,Vf). Suppose now that \p\ > B = (E + n) . We will 
build a run p' from (goj^o) to {qf,Vf) that is strictly smaller, hence contradicting the 
minimality hypothesis. 

Since \p\ > B, then one of the three cases of Lemma [2] applies. Therefore there is 
a transition e at level k repeated twice, from positions tt and tv' and separated by a 
subrun a containing only transitions of level higher than or equal to k. Moreover: 

— Either e updates a;^.. In this case, all clocks have the same value after the first and 
the second occurrence of e. Hence removing ea = pr^ ^/r from p yields a valid run 
p' of A reaching (qj,wj). Run p' is strictly smaller than p, since ea which is of 
length at least 1 was removed. 

— Either no update occurred for x^ and e is delayed or lazy. In this case, upon 
reaching tt', the clocks of level i < k have retained the same value, while Xk has 
increased by Dur (^pi^.^,-A. Hence when replacing ea = Pu^t^'I by a time step of 
duration Dur (pi^ 7r'l)i the configuration in n' is unchanged. In addition, since e 
was delayed or lazy, this time step is allowed in A, and this yields a shorter run of 
A. 

— Or no update occurred and tt and n' are at the same instant (separated by instan- 
taneous actions). In this case, all clocks of level smaller than or equal to k again 
have the same value after the first and the second occurrence of e. Again removing 
pr^ j^ii yields a smaller run. 

The decision procedure is as follows. It non deterministically guesses a path in the 
ITA_ whose length is less than or equal to the bound. In order to check that this 
path yields a run, it builds a linear program whose variables are s a;^ [• , where a;^ is the 
value of clock x^ after the jth step, and {dj} where dj is the amount of time elapsed 
during the jih step, when j corresponds to a time step. The equations and inequations 
are deduced from the guards and updates of discrete transitions in the path and the 
delay of the time steps. The size of this linear program is exponential w.r.t. the size 
of the ITA_ . As a linear program can be solved in polynomial time [36] , we obtain a 
procedure in NEXPTIME. D 

One could wonder whether the class graph construction would lead to a better 
complexity when applied on ITA-_. Unfortunately, the number of expressions occurring 
in the class graph while being smaller than for ITA is still doubly exponential w.r.t. 
the size of the model. 



5 Timed model-checking 

First observe that model-checking CTL* formulas on ITA can be done with classical 
procedures on the class graph previously built. We now consider verification of real 
time formulas. 
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In the case of linear time, the logic LTL has been extended into the Metric Temporal 
Logic (MTL) [27], by adding time intervals as constraints to the U modality. However, 
MTL suffers from undecidability of the model-checking problem on TA. Hence decid- 
able fragments have been proposed, such as Metric Interval Temporal Logic (MITL) [S], 
which prohibits the use of point intervals (of the form [a, a]). Later, MITL was restricted 
into State Clock Logic (SCL) [35], in order to obtain more efficient verification proce- 
dures. Model-checking MITL (thus SCL) on TA is decidable. Unfortunately, we show 
here that model-checking SCL (thus MITL) on ITA is undecidable. For this, we reduce 
the halting problem on a two counter machine into model-checking an SCL formula on 
an ITA. 



Concerning branching time logics, at least two different timed extensions of CTL 
have been proposed. The first one 2 also adds time intervals to the U modality 
while the (more expressive) second one considers formula clocks [22 . Model-checking 
timed automata was proved decidable in both cases and compared expressiveness was 
revisited later on [14j . 

We conjecture that model-checking of TCTL is undecidable when using two (or 
more) formula clocks. Indeed, as shown in Section 17.11 the reachability problem in a 
product of an ITA and a TA with two clocks is undecidable, thus prohibiting model- 
checking techniques through automaton product and reachability testing as in pQ . How- 
ever, contrary to what is claimed in [10], this is not enough to yield an undecidability 
proof. 

Two fragments for which model-checking is decidable on ITA have nonetheless been 
identified. The first one, TCTLjf , accepts only internal clocks (from the automaton 
on which the formulas will be evaluated) as formula clocks. The second one, TCTLp, 
restricts the nesting of U modalities. We provide verification procedures in both cases. 



5.1 Undecidability of State Clock Logic 

We first consider the timed extension of linear temporal logic, and more particularly 
the SCL fragment [35) . 

Definition 8 Formulas of the timed logic SCL are defined by the following grammar: 

where p G AP is an atomic proposition, [xi£ {>,>,=,<,<}, and a is a rational 
number. 

We use the usual shorthands t for -^{p A -ip), F?/; for tUtp, G'ip for -^(F^tp) and ip => V 
for -i((/3 A -^^p). 

The semantics are defined in the usual manner for boolean operators and U . The 
S modality is the past version of U . Modality f^c^saip is true if the next time ip is true 
will occur in a delay that respects the condition tx] a. Similarly, ^txai) is true if the 
last time tp was true occurred in a (past) delay that respects the condition ixi a. More 
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formally, for an execution p, we inductively define (p, ir) \= ip by: 

(p, tt) \= p iff p G lab{sTr) 

(p, tt) ^ipAi: iff (p, tt)\= ifi and (p, vr) |= V 

(P,7r) |=^(^ iff (p,7r) ^ <^ 

(p, tt) ^ i^ U i/) iff there is a position tv' >p tt such that (p, tt') |= ip 

and forall tt" s.t. tt <p tt" <p tt' , (p, vr") \= ipW ip 
(p, tt) ^ ((3 S t/j iff there is a position tt' <p tt such that (p, tt') |= ip 

and forall tt" s.t. tt >p tt" >p tt', (p, tt") ^ (^a V ?/) 
(p, tt) ^ i^Maiy^ iff either (p, tt) |= ip and &< a 

or, there is a position tt' >p tt such that (p, tt') |= ip, 
Dur{p\^ ^/i) c>< a and forall tt" s.t. tt <p tt" <p tt', (p,7r") ^ (p 
(p, tt) ^ ^Maip iff either (p, tt) |= (p and &< a 

or, there is a position tt' <p tt such that (p, tt') |= (p, 
Ditr^pr^/ jfij [X a and forall tt s.t. tt >p tt >p tt , (p, tt ) ^ (p 

Given an ITA A and an SCL formula ip, ^ |= ip if for all executions p of A, (p, ttq) |= (p, 
where ttq = is the initial position of p. 

Theorem 3 Model checking SCL over ITA is undeadable. Specifically, there exists a 
fixed formula using only modalities U and *^=a such that checking its truth over ITA 
with 3 levels is undecidable. 

Proof We build an fTA and an SCL formula that together simulate a deterministic two 
counter machine. More specifically, we define a formula 'fi2cm such that given a two 
counter machine M, we can build an fTA Am with three clocks such that Am N f2cm 
if and only if A4 does not halt. 

Recall that such a machine A4 consists of a finite sequence of labeled instructions, 
which handle two counters c and d, and ends at a special instruction with label Halt. 
The other instructions have one of the two forms below, where e G {c, d} represents 
one of the two counters: 

— e :— e + 1; goto (.' 

— if e > then (e := e — f ; goto /) else goto /' 

Without loss of generality, we may assume that the counters have initial value zero. The 
behavior of the machine is described by a (possibly infinite) sequence of configurations: 
{£(), 0, 0)(^i, ni,pi) . . . {£i, ni,pi) . . ., where n^ and Pi axe the respective counter values 
and £i is the label, after the i* instruction. The problem of termination for such a 
machine ("is the Halt label reached?") is known to be undecidable |32| . 

The idea of the encoding is that, provided the execution satisfies the formula, clocks 
of level f and 2 keep the values of c and d indifferently, hy Xi = 2Tr H n is the value of 
a counter e. Level 3 will be used as the working level. Transmitting the value of clocks 
to lower levels, prohibited in the fTA model, will be enforced by SCL formulas, fn the 
sequel, we will define: 

— a module Atr^ and a formula ^^ such that the values contained in clocks xi and 
X2 at the beginning of an execution p are swapped if and only if (p, 0) |= p^ , 

— a module A+ and a formula (p+ such that if the value of X2 is ^^^ at the beginning 
of an execution p, then X2 has value nn+i if a^nd only if (p, 0) |= (p+, 

— a module A- and a formula p_ such that if the value of X2 is ^ with n > at 
the beginning of an execution p, then X2 has value „„_i if and only if (p, 0) \= ip-. 
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Joining these modules according to M yields an ITA. Combining the formulas (inde- 
pendently of M), we obtain an SCL formula that is satisfied if some execution, while 
complying to the formulas of the modules, reaches the final state. Both constructions 
are explained in details after the definitions below. 

Let us define formulas Spani — q' ^ "^^iq and Span2 = p' => ^=2P where p, p', 
q, q' are propositional variables. Let x^ and X2 denote the respective values of xi and 
X2 upon entering a given module. 

Swapping module. The module A-ir^ that swaps the values of xi and X2 is depicted 
in Fig. [71 Note that this module does not actually swap the values of xi and X2 for 
every execution. However, by imposing that state Qend is reached exactly 2 time 
units after go (or gg) was left, and that 54 (resp. 54) is reached exactly 1 t.u. after 
qi (resp. q[) was left, the values of xi and X2 will be swapped. This requirement 
can be expressed in SCL by ip^^ = G {Spani A Span2). Let tOj be the time elapsed 
in state qi, for an execution p of A<-^ that satisfies </?<->.. Note that qstart and 5^^^ 
are all urgent, hence no time can elapse in these states. We shall therefore consider 
only what happens in the swapping submodules. We detail only the case when 
X2 > xi, the case when X2 < xi is analogous. The ITA constraints provide: 

wq = [qo is urgent) 

wi = a;2 — xl (update 2:3 := xi and guard x^ — X2) 

'W2 = ^ ~ X2 (guard x^ = 1) 

«)4 = (94 is urgent) 

The time spent between the last instant q was satisfied (upon leaving gi) and the 
only instant when q' is true (upon entering g4) is exactly the time spent in states 
52 and 53. Similarly, the time between the last instant p was satisfied (leaving go) 
and the instant p' is true (when reaching g^^j) is the total amount of time spent 
in 91 J 92, 93, 94, and g5. Hence, if ip.^ is satisfied then: 

^"2 + ^"3 = 1 ( '^' ^ '^=iq ) 

Wx + W2 + WT, + Wi + w^ ^ 2 W ^ ^=2p) 

Hence w^ — X2 and w^ — 1 — wi = x^ ~ (x2 — l). Since upon entering g3, clock 
Xl has value 0, when leaving, xi has value X2- Similarly, when entering gs, X2 has 
value a;i — 1 = 2:2 — 1, therefore X2 has value x^ when reaching q'^ ,. Note that this 
module swaps a;i and X2 regardless of their coding a counter value. 

Incrementation module. The same idea applies for the incrementation module A+ 
of Fig. |S] We force the time spent in total in ri and 7-2 is one, expressed in SCL by 
(/3+ = G Spani. The guards and updates in A+ ensure that, with the same notation 
as above, time spent in ri will be 1 — 2^2- Hence, when reaching r^, clock 2:2 will 
have value ^2:2. Therefore, if 2:2 = ^, coding a counter of value n, at the end of 
^-1-, 2:2 has value jHtt, thus coding a value n+ 1 for the same counter. 

Decrementation module. Decrementation, for which the corresponding module is 
depicted on Fig. [O] is handled in a similar manner (with <^_ — (^+ — G Spani). 
The only difference is that 2:2 has to be compared to 1 in order to test if the value 
of the counter encoded by 2:2 is 0. 
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(a) Choice submodulo. 



^a;3 := xx^ — p-^ x^ = x-i 
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(b) Swapping subinodule (x2 > xi). 
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(c) Swapping submodulc {x2 < xi). 
Fig. 7 Swapping module A-i^. Submodules are connected through identical states (go, q'q, 
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Fig. 8 Incrementation module. 
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Fig. 9 Decrementation module. 
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Since the constraints in Spani (and Span2) are equalities, they can be satisfied only 
if q' (and p') are true at a single point in time. 

Automaton Ajiyi is then defined as the concatenation of modules according to A1. 
For clarity, a state {q, €) denotes state q in a module corresponding to instruction i. 

Namely, an instruction i incrementing c and going to t! is an incrementation mod- 
ule with a transition from {rj,,€) to the first state of the module corresponding to (! 
(either {qstart,^'), {ro,^') or {sq, (.')). In the case of an incrementation of d, the corre- 
sponding module will be the concatenation of A^^, A+, and A'^ . Modules A^^ and 
ATt are two copies of a swapping module A^. The states of yl™ and ^™ will be 
respectively denoted {q,(.,in) and {q,l,out)) to avoid confusion. The last swap is per- 
formed in order to restore that X2 contains the value of c and xi the value of d. The 
concatenation is done by transitions from (q^ ,,ll,in) and {q~^^,£,in) to {rQ,£), from 
(r^jl) to {qstart,£,out). States {q^_^^,£,out) and {q~^^,li,out) are then linked to the 
first state of the module for (.' . 

Decrementation is handled in a similar way. The main difference resides in the fact 
that {si,t) is linked to the first state of i" . In the decrementation of d, (s4, ^) is linked 
to a swapping module A'^ (disjoint from ^™ and A'iX )> in turn linked to the first 
state of I" . 

The Halt instruction is encoded in a single state h labeled with {h}. The initial 
state of the automaton is a new state Init of level 3. It has urgent policy and satisfies no 
atomic proposition. State Init is linked to the first state of the module corresponding 
to Iq, the initial instruction of M, by a transition that updates both xi and X2 to 1, 
simulating the initialization of both counters to 0. 

Let us define formula ip2cm = F(^S'pani V -iSpan2) V G^h. An execution p of Am 
satisfies ip2cm if either it violates at some point a constraint Spani, which means p 
does not correspond to an execution of Al, or p never reaches state h, which means 
the execution of M is not halting. 

If M has a halting execution, then it can be converted into an execution p that 
complies to the Spani constraints and reaches the final state h. Hence p ^ 'P2cm and 

Conversely, if Aj^ V^ 'P2cm, then consider an execution p that does not verify ip2cm- 
Execution p both reaches h and complies to the Spani constraints, hence encodes a 
halting execution of A4 . 

As a result, M has no halting execution if and only if 

-4a4 N F ((-q' A -<]=iq) V (^p' A -<3=2p)) V G^h. 

Remark that this formula does not have nested history or prediction modalities (^xia 
and l^ixio). Hence SCL with a discrete semantics (evaluating the subformulas only upon 
entering a state) would also be undecidable. D 

5.2 Model-checking branching time properties with internal clocks 

In this section we consider the extension of CTL with model clocks, the corresponding 
fragment being denoted by TCTLjf . Such a logic allows to reason about the sojourn 
times in different levels which is quite useful when designing real-time operating sys- 
tems. For example, formula A {x2 < 3) U safe expresses that all executions reach a safe 
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state while spending less than 3 time units in level 2 (assuming X2 is not updated during 
the execution) . Model-checking is achieved by adapting a class graph construction for 
untiming ITA (Section[3| and adding information relevant to the formula. The problem 
is thus reduced to a CTL model checking problem on this graph. 

Definition 9 Formulas of the timed logic TCTLJ." are defined by the following gram- 
mar: 

'^ ::— p \ il) l\ -^ \ -^ip I y^flj •a;i+6[xiO|A'i/)UV'| E^'UV' 
i>l 
where p G AP is an atomic proposition, Xj are model clocks, ai and h are rational 
numbers such that (ai)i>i has finite domain, and cxi G {>, >, =, <, <}. 

As before we use the classical shorthands F, G, and boolean operators. 

Let A — {S,AP,Q,qQ,F,pol,X,X,lab,A) be an interrupt timed automaton and 
S = {{q,v,f5) IqgQ, vgK ,/?£ {T,_L}}, the set of configurations. The formulas 
of TCTLc" are interpreted over configuration^J s — {q,v,P). 

The semantics of TCTLjf is defined as follows on the transition system 7^4 as- 
sociated with A. For atomic propositions and a configuration s = {q,v,l3), with 
lab{s) = lab{q): 

s\= p iff p G lab{s) 

s \= J2i>i cLi ■ Xt + btxiO ifl" t; ^ Z]j>i a-i- Xi + bP<iO 

and inductively: 

s \= ip Alp iS s \= If and s \= tp 

s \= -^ip iS s 'f^ If 

s [= AipUip ifi' for all p G Exec{s) , p \= ip\Jtp 

s \= Eipdip iff there exists p G Exec[s) s. t. p^ ipU^j) 

with p t^ (/3 U t/i ifi' there is a position -n £ p s. t. s-n \= ip 
and Vtt' <p tv, s^^i \= ipW tp. 

The automaton A satisfies ip if the initial configuration sq of 7^4 satisfies t/j. 

Theorem 4 Model checking TCTL^ on interrupt timed automata can be done in 
2-EXPTIME, and in PTIME when the number of clocks is fixed. 

The proof relies on a refinement of the class graph according to the comparisons 
in the formula to model-check. It is detailed in Appendix VK\ and we show the resulting 
graph on an example below. 



Example. Consider the ITA Ai (Fig. 3(a) I and the formula tpi — E F(gi A {x2 > xi 



We assume that qi is a propositional property true only in state gi . Initially, the set of 
expressions are Ei = {a;i, 0} and E2 ~ {x2, 0}. First the expression — 22:1 -I- 1 is added 
into E2 since xi + 2a;2 = 2 appears on the guard in the transition from gi to 52- Then 
expression 1 is added to Ei because a;i — 1 < appears on the guard in the transition 
from go to gi. Finally expression xi is added to E2 since a;2 — a;i > appears in fi. 
The iterative part of the procedure goes as follows. Since there is a transition from go 
of level 1 to state gi of level 2, we compute all differences between expressions of E2, 
then normalize them: 



^ The boolean value in the configuration is not actually used. The logic could be enriched 
to take advantage of this boolean, to express for example that a run lets some time elapse in 
a given state. 
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2 2 2 

Zo = {0 = xi < - <1<2) Zl = {0 < XI < - < 1< 2) Zl = {0 < XI = - < 1< 2) 

Zl = {0 < - < XI <1<2) zl = {0 < - < XI = 1<2) zl = {0 < - <1 <xi <2) 

2 2 

zl = {a < - < i< XI = 2) zl = [a < - < i< 2 < xi) 

2 1 2 1 

Zo = (0 = a:2 < xi < --X1 + 1) Zf = {0 < X2 < xi < --xi + 1) 

,1,1 
Z^ = {Q < xi = X2 < --X1 + 1) Z^ = {0 < XI < X2 < --X1 + 1) 

2 1 2 1 

Z4 = (0 < Ki < --X1 + 1 = 2:2) Z5 = (0 < a;i < --X1 + 1 < 2:2) 

,1 ,1 

Zg = (0 = a:2 < --X1 + 1 < xi) Z^ = (0 < X2 < --xi + 1 < xi) 

,1 ,1 

Zg = (0 < --xi + 1 = K2 < a:i) Zg = (0 < --Ki + 1 < K2 < 2:1) 

,1 2 1 
•^10 = (0 < 2:1 + 1 < a;i = X2) Zjj = (0 < xi + 1 < xi < X2) 

Table 2 Time zones used in tlie class graph of Ai when checking ipi. 



• xi — and a;2 — yield no new expression. 

• X2 — {—■^xi + 1) and — {—^xi + 1) with update X2 ■— both yield expression 2, 
that is added to Ei. 

• xi — (— ^a;i + l) yields expression S, which is also added to Ei. 

The sets of expressions are therefore Ei = {xi,0, 1,S,2} and £2 = {x2,0, — -^xi + 
l,a;i}. Remark that knowing the order between xi and i will allow us to know the 
order between — 22:1 + 1 and xi. The class graph Q corresponding to Ai and ipi is 
depicted in Fig. IIUI Note that we replaced xi by its value, since it is not changed by 
any update at level 2. Some time zone notations used in Q are displayed in Table [S] 
In the class graph, states where the comparison X2 > xi is true are greyed. Among 
these, the ones in which the class corresponds to state gi are doubly circled, i.e. states 
in which qi A {x2 > xi) is true. Applying standard CTL model checking procedure on 
this graph, one can prove that one of these states is reachable, hence proving that (fi 
is true on ^1. 



5.3 Model-checking TCTL with subscript 

Note that in TCTLjf , it is not possible to reason about time evolution independently 
of the level in which actions are performed. For example, properties (P2) the system 
is error free for at least 50 t.u. or (P3) the system will reach a safe state within 7 
t.u. involve global time. In order to verify such properties, we introduce the fragment 
TCTLp. This fragment is expressive enough to state constraints on earliest (and latest) 
execution time of particular sequences, like those reaching a recovery state after a crash. 
TCTLp is the set of formulas where satisfaction of an until modality over propositions 
can be parameterized by a restricted form of time intervals. 
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Fig. 10 The class automaton for J^i and formula ipi. 
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Definition 10 Formulas of TCTLp are defined by tlie following grammar: 

ipp ■— p \ ipp h ifp \ -^ipp and tp ■— Tp /\ Tp \ -^Tp \ ^p \ IKipp Uooa (pp\E.ipp U[xia ^p 

where p £ AP is an atomic proposition, a G Q , and IXG {>,>,<,<} is a comparison 
operator. 

The properties given in introduction can be expressed by TCTLp formulas as follows. 
Property P2 : the system is error free for at least 50 t.u. corresponds to A {-terror) U>50 1, 
while property P3 : the system will reach a safe state within 7 t.u. is expressed by 
A F<7sa/e. 

Formulas of TCTLp are again interpreted over configurations of the transition sys- 
tem associated with an ITA. For configuration s — [q,v,P), with lab{s) — lab{q), the 
inductive definition is as follows: 

s \= p iff p £ lah{s) 

s \= ip Atjj iS s \= if and s \= ip 

s \= -^ip iff s ^ </p 

s \= Aipp Uixia ^p iff any execution p £ Exec{s) is such that p\= tpp U[xia '4>p 

s \=E.ipp Ut<ia V'p iff there exists an execution p £ Exec{s) such that p \= (pp U^a ipp 

where 

p \= ipp U[xia 4>p iff there exists a position vr along p such that Dur{p-^) txi a, 
s-rr \= i^p, and for any position tt <p tv, s-^i |= Lpp 

Again A\= Tp li sq\= ip. 
We now prove that: 

Theorem 5 Model checking TCTLp on ITA is decidable. 

The proof consists in establishing procedures dedicated to the four different subcases: 

— EpU<ar' and EpU<ar (Proposition [6l), 

— EpU>ar and EpU>ar (Proposition [7|, 

— ApU>a r and ApU>a r (Proposition [8]), 

— ApU<a»' and ApU<ar (Proposition [9]), 

where p and r are boolean combinations of atomic propositions. 

Proposition 6 Model checking formulas Ep U<a r and Ep U<a r over ITA is decidable 
in NEXPTIME and in NP if the number of clocks is fixed. 

Proof First consider the case of ITA_. Both formulas are variants of reachability, with 
the addition of a time bound. Therefore, the proof is similar to the one of Proposition (5] 
Again using Lemma[2]on an ITA_ with E transitions, we can look for a run satisfying 
one of these formulas and bounded by B = (_E + n) , because shortening longer 
runs can be can be done while preserving the property. Thus, the decision procedure 
again consists in guessing a path and building a linear program. The satisfaction of 
the formula is then checked by separately verifying on one side that the run satisfies 
p U r, and on the other side, that the sum of all delays dj satisfies the constraint in the 
formula. The complexity is the same as in Proposition O 

In the case of ITA, the exponential blowup of the transformation into an equivalent 
ITA_ does not affect the complexity of the model-checking procedure above, as in 
Theorem [1 D 
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Note that this problem can be compared with bounded reachability as studied in [17) . 
However, the models seem incomparable: while the variables (that have fixed non- 
negative rates in a state) are more powerful than interrupt clocks, the guards and 
updates are rectangular, which in particular forbids additive and diagonal constraints. 

Proposition 7 Model checking a formula EpUy^r and Ep U>a r on an ITA is decid- 
able in NEXPTIME and in NP if the number of clocks is fixed. 

Proof Let A be an ITA_ with n interrupt clocks and E transitions, and B = {E + 
n) . The algorithm to decide whether EpU>ar (or EpU>ar) works as follows. It 
nondeterministically guesses a path of length smaller than or equal to B and builds 
the associated linear program (as in the proof of Proposition [Sjl , then checks that: 

— this path yields a run, which can be done by solving the linear program; 

— there is a position n in this run at which r holds and before which p holds contin- 
uously; 

— the sum of delays before tt exceeds a (or strictly exceed in the case of Ep U>a r). 

If this first procedure fails, the algorithm nondeterministically guesses a path of length 
smaller or equal to 25 -f 1 and checks that: 

— this path yields a run, which can be checked by a linear program as before, 

— p holds on this path, but not necessarily in the last state reached, 

— r holds in the last state of this path, 

— either there is a transition e of level k that updates ij. appearing twice and sep- 
arated by a sequence a of transitions of level higher than k during which time 
elapses (globally) ; this last part can be checked with a linear program on the 
delays corresponding to this subrun. 

— or there is a transition e of level k that does not update x^. appearing twice and 
separated by a sequence a of transitions of level higher than k not updating x/^ 
during which time elapses at levels strictly higher than k but not at level k. 

The algorithm returns true if one of the previous procedure succeeds, and false other- 
wise. We shall now prove that this algorithm is both sound and complete. 

Soundness. If the first procedure succeeds, then the path guessed is trivially a witness 
of Ep U>a r (or Ep U>a r, accordingly). If the second procedure succeeds, then a witness 
for the formula can be built from the path guessed. Indeed, the path guessed satisfies 
pUr, but not necessarily pUy^r. Assume the sequence a lets elapse 5 time units 
(5 > 0), by repeating \^] time£J the sequence ae, we obtain a run satisfying p U>a r. 
Note that since either e updates the clock x^. or there are no updates nor time elapsing 
at level k, and a happens at higher levels, the clock values in each instance of ae will 
be identical, hence this repetition will always be possible. 

Completeness. Now consider a minimal witness p of length h for EpU>a r. Since p is 
minimal, r holds in the last state of p and p holds (at least) in every position before. If 
h < B, then the first procedure will consider p. Otherwise, h > B, it means that one 
of the following cases of Lemma [2] happens: 



This sequence may be repeated once more in the case of pU>a r. 
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— The same transition e of level k leaving x^ unchanged appears twice separated by 
lazy or delayed transitions between states of level greater than or equal to k. In 
that case, the corresponding subrun can be replaced by a time step of the same 
duration, not changing the truth value of pU>ar on this new smaller run, thus 
violating the minimality hypothesis. 

— The same transition e of level k updating clock a;j, appears twice on the subrun 
ei . . . cb+i, at positions i and j. In that case we have to distinguish two subcases 
either some time has elapsed between the two occurrences ej and Ej of e, or the 
transitions were all instantaneous. 

— If no time has elapsed, the subrun between e^ and Cj can be removed without 
altering the truth value of pU>a r on this new run, which is smaller than p. 
Hence there is a contradiction with the minimality hypothesis. 

— Or some time elapsed during this subrun. Let p be decomposed into pQCiaejPj. 
Then by applying Lemma [2] to pj there exists a run p'- of length smaller or 
equal to B such that p' — pQe^aejp'j is also a run. Note that \p'\ < 2B + 1, 
that the last state of p' will be the same as the last state of p hence will satisfy 
r, and that p will also hold along p' . As a result p' will be considered by the 
second procedure. 

— The same transition e of level k leaving xi^ unchanged appears twice, with no time 
elapsing at level k between these occurrences. In that case, we again distinguish 
two subcases: 

— either no time elapsed (globally) the corresponding subrun can be removed, not 
changing anything to the rest of the execution nor to the satisfaction of p U>a r, 
thus violating the hypothesis of minimality of p; 

— or time elapsed at higher levels and, by minimizing the subrun after the second 
occurrence as above, we deduce that the run will be considered by the second 
procedure. 

The completeness proof is similar in the case of EpU>a r. 

When A is an ITA, the exponential blowup of the transformation from ITA to 
ITA_ does not affect the above complexity. D 

While a witness is a finite path in the previous cases, it is potentially infinite for 
Ap U>a r or Ap U>a r. The generation of an infinite run relies on the (nondeterministic) 
exploration of the class graph built in Section^ thus has a much greater computational 
complexity. 

Proposition 8 Model checking a formula ApU>ar and ApUyaV on an ITA is de- 
cidable in 2-EXPTIME and in co-NP if the number of clocks is fixed. 

Proof We consider an ITA A with n interrupt clocks, E transitions and the bound 
B — {n + 2) ' '" where b is the number of bits coding the constants in A. 

The algorithm to verify Ap U>a r (or Ap U>a r) works as follows. It nondeterminis- 
tically guesses a path of length smaller than or equal to B, builds its associated linear 
program, and checks that: 

— this path yields a run p (by solving the linear program); 

— this path is maximal, that means no transition can be fired from the last configu- 
ration of the run; 
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P- I \ 

< > -^ 

©<« 

Fig. 11 Proof of Proposition [8l finite counterexample (Case 1). 



P- h 



< ^ > -■« A ^r 

> < 

Fig. 12 Proof of Proposition [8l finite counterexample (Case 2). 

— there is a position tt in p occurring at a time stricly less tharp a such that 
Case 1: either r does not hold from n (see Fig. Ill|l 

Case 2: or there is a position tt' where neither p not r hold, and r does not hold 
between vr and tt' (see Fig. I12p . 

If this first procedure fails, then the algorithm guesses: 

— a clciss K and a cycle C starting from K in the class graph (without building 
neither the graph nor the cycle), such that C contains at least a discrete step and 
only traverses classes where -ir holds; 

— a path in the automaton of length smaller than or equal to the bound B; 

and checks that: 

— the path does yield a run p, that reaches a configuration {q, v, j3) in class K (through 
a linear program); 

— there is a position tt in p occurring at time strictly less thar|J a after which r no 
longer holds. 

Remark that the procedure cannot use solely the class graph, since the abstraction is 
not precise enough to check the existence of position vr. 



Soundness. We prove that the algorithm is sound: when one of the procedures succeeds, 
there exists a counterexample for formula ApU>a r (or ApU>a r). In the case of the 
first procedure, it is trivial that the guessed run does not satisfy pU>a r (or pU>a r). 
In the case of the second one, we show that there exists an infinite counterexample. 
Consider configuration {q, v, /?), which is reachable by p. Since {q, v, (3) belongs to class 
K, for any path a starting from K in the class graph, there is a run in the automaton 
starting from {q,v,l3) traversing configurations which belong to the classes traversed 
by a. Since there is a cycle in the class graph, there is an infinite path in the class 
graph (iterating on this cycle), so there exists an infinite run in the ITA. Also, since 
-ir holds in the infinite path of the class graph, it holds in the run of the ITA, and the 
run is a counterexample for the formula. 

^ Less than or equal to a in the case of Ap U>a »"■ 
"^ Less than or equal to a in the case of Ap U>a r. 
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Completeness. Assume there exists a finite counterexample p. Let A' be the ITA_ 
accepting the same timed language as A and let E' denote the number of its transitions. 
Let B' = {E' + 2n)3" (the bound of Lemma^l), we have B' < B. If |p| < B, it wiU be 
detected by procedure 1. Otherwise let p' be the run corresponding to p in ^'. This run 
accepts the same timed word as p and its sequence of traversed states can be projected 
onto the sequence of corresponding states of p, by omitting states of the form (g~, — ): 
any subsequence (g+, -)->■■■ ^ (9,|i_i, -) ^ i<lm, -) -^ {<lm, -~) in p' corresponds 
to the subsequence qo ^- ■ ■ ■ ^>- Qm-l -^ Qm in p. Note that \p\ < \p'\ and that p' is 
also a counterexample for the formula (although in A'). Since \p'\ > B > B' , then one 
of the cases of case of Lemma [2] occurs. By removing transitions and maybe replacing 
them by some time elapsing, as in the proof of Proposition [T] a counterexample a' of 
size I a' I < B' < B exists in A' . Now consider the run cr in ^ which corresponds to 
a' . We have \a\ < \a'\ < B' < B and a is still a counterexample. Therefore a can be 
guessed by the first procedure. 

If there exists an infinite counterexample p, consider its counterpart a in the class 
graph. This counterpart is also infinite. More precisely, a contains an infinite number 
of discrete transitions. Since a traverses a finite number of classes, it contains a cycle C 
with at least one discrete transition. Choose any class K of this cycle and consider the 
prefix po of P leading to a configuration in K. As in the case of a finite counterexample, 
there exists pg of length smaller than B reaching the same configuration. All C, K and 
Po can be guessed by the second procedure, which will therefore succeed. 

Procedure 1 operates in NEXPTIME (guessing a path of length B and solving 
a linear program of size polynomial w.r.t. B). Procedure 2 consists in looking for a 
specific cycle in the class graph which in can be done in time polynomial w.r.t. the size 
of the graph thus in 2-EXPTIME. The case where the clocks are fixed, is handled as 
usual. D 

For formulas in case 4, a specific procedure can be avoided, since the algorithms of 
cases 2 and 3 can be reused: 

Proposition 9 Model checking a formula ApU<ar and ApU<ar on an ITA is de- 
cidable in 2-EXPTIME and in co-NP if the number of clocks is fixed. 

Proof Notice that ApU<ar = (Ap U>o r)A-.(E-.r U>a t), and ApU<a r = (ApU>or)A 
^(E^rU>at). □ 



6 Language properties 

In this section, we compare the expressive power of the previous models with respect 
to language acceptance. Recall that TL is strictly contained in CRTL. We prove that: 

Theorem 6 The families TL and ITL are incomparable. The families CRTL and ITL 
are incomparable. 



6.1 ITL is not contained in TL, nor in CRTL 

The next proposition shows that ITA cannot be reduced to TA or CRTA. Observe that 
the automata used in the proof belong to ITA_. Also, the language given for the first 
point of the proposition is very simple since it contains only words of length 2. 
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^^ XI < 1, a, {X2 := 0) /"'~\ xi+2x2 = l,b /''~\ 
-Mqo, l) ^^ >U , 2j >( «2, 2j-^ 



Fig. 13 An ITA A3 for L3 



/'~\ XI > 0, c, X2 := /~~V ^ 
^90,1) a'^^'^1 j3::2 = 3^1, c, xg := 



Fig. 14 An ITA ^4 for L4 



Proposition 10 

1. There exists a language in ITL whose words have bounded length which is not in TL. 

2. There exists a language m ITL which is not in CRTL. 

Proof To prove the first point, consider the ITA ^3 in Fig. 1131 Suppose, by contra- 
diction, that L3 — jC-iAs) is accepted by some timed automaton B (possibly with 
e-transitions) . Note that since we consider timed languages, we cannot assume that 
the granularity of S is 1. Let d be the granularity of B, i.e. the gcd of all rational 
constants appearing in the constraints of B (thus each such constant can be written 
k/d for some integer k). Then the word w = (a, 1 — l/d){b, 1 — l/2d) is accepted by B 
through a finite path. Consider now the automaton B' in TA, consisting of this single 
path (where states may have been renamed). We have w G C{B') C C{B) — L3 and B' 
contains no cycle. Using the result in [11], we can build a timed automaton B" without 
e-transition and with same granularity d such that C{B") = C{B'), so that w G C{B"). 

The accepting path for w in B" contains two transitions : po — '~ — ^ Pi — ~~ — ^ P2- 
After firing the a-transition, all clock values are 1 — 1/d or 0, thus all clock values are 
1 — l/2d or l/2d when the fe-transition is fired. Let x ixi c be an atomic proposition 
appearing in (p2. Since the granularity of B" is d, the ixi operator cannot be = oth- 
erwise the constraint would be x = l/2d or x = 1 — l/2d. If the constraint is x < c, 
X < c, X > c, or X > c, the path will also accept some word (a, 1 — l/d){b,t) for 
some t 7^ 1 — l/2d. This is also the case if the constraint ifi2 is true. We thus obtain a 
contradiction with C{B") C L3, which ends the proof. 

To prove the second point, consider the language: 

L4 = {(c,r)(c,2r)...(c,nr) | 7iGN,r > 0} 

accepted by the ITA Ai in Fig. 1141 This language cannot be accepted by a CRTA 
(see [21]). D 



6.2 TL is not contained in ITL 

We now prove that there exists a language in TL that does not belong to ITL. Let L5 
be the language defined by 

L5 = {[a,ri){h,T2) ... {a,T2p+i){b,T2p+2) | P G N, 

VO < i < p, r2i+i = i + 1 and i -I- 1 < T2i+2 < « + 2, 

VI < i < p T2t+2 - T2i+1 < T2i - T2i-l} 
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Hence, the untimed language of L5 is (ab)* , there is an occurrence of a at each time 
unit and the successive occurrences of b come each time closer to the occurrence of a 
than previously. This language is in TL as can be checked on the TA A5 of Fig. [TJ] 
(first proposed in [3]). 




< z Ay <1, b, y -.= 



Fig. 15 A timed automaton ^5 for L5 



Proposition 11 The language I/5 does not belong to ITL. 

Proof Assume, by contradiction, that L5 belongs to ITL. Then L5 is accepted by an 
ITA_ A with n clocks and E transitions. Let B = {E + n) and consider the timed 
word w = (a,Ti)(&, T2) • ■ • {a,T2B+i){b,T2B+2) G -^5- Word w is accepted by a run p of 
A, which can be assumed of minimal size. However, we know that \p\ > B, so one of 
the three cases of Lemma [2] occurs in the B first transitions. 

— Suppose a transition e of level k that updates X}. appears twice, separated by a 
subrun a of level greater than or equal to k. Remark that the valuations after the 
first and the second occurrence of e are identical. We distinguish several subcases, 
depending on the word read along ae. 

— If ae reads the empty word e, we write 5 for the time spent during ere. If 5 = 0, 
then ae can be deleted without affecting neither the remainder of the run nor 
the accepted word, which contradicts the minimality of p. If 5 > 1, then some 
interval [i, z + 1] does not contain any b, which contradicts the definition of L5. 
Otherwise, < 5 < 1. By deleting ae, we obtain an execution p' (accepted by 
A) in which the suffix after e is shifted by 5. Therefore the following occurrence 
of letter a, which appeared in p at date i £ N \ {0}, appears in p' at date 
i — 5 which is not integral. So the word accepted by p' is not in L5 , which is a 
contradiction. 

— If ae reads more as than bs or more 6s than as, by deleting ae we obtain a run 
accepting a word whose untiming is not in (ab)* thus does not belong to I/5. 

— If ae reads as many as as bs (and both letters at least once), by duplicating ae 
we obtain a run accepting a word where a same duration separates an a from 
the following b is repeated, thus violating the definition of I/5. 

— Suppose a transition e of level k delayed or lazy occurs twice, separated by a subrun 
a of level greater than or equal to fc, such that ae does not update x^. Then we can 
replace ea by a time step of the same duration and obtain a new run p', accepted 
by A 

— If ea reads e, then p' contradicts the minimality of p. 

— If ea reads the word b, then p' accepts a word where a and b do not alternate, 
thus not in I/5. 

— If ea reads at least an a, then p' accepts a word with no a at a given integral 
date, therefore not in I/5. 
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— Otherwise, a transition e of level k appears twice separated by a subrun a of level 
greater than or equal to k, such that ae does not update Xk nor lets time elapse 
at level k. The same disjunction as in the case of an update of Xj^ can be applied, 
since ae can either be deleted or duplicated. 

Note that the feature preventing L5 to be in ITL lies in the decreasing delays 
between the a's and their immediately following b. A language in ITL can record 
k different constant delays, using k + 1 clocks. For instance on the alphabet S — 
{ai, . . . , aj,}, the language 

Mk = {(ai,n) ■ •• {a-k,Tk){a-l,Tl + 1) • • • (a/cTfc + 1) ■ ■ ■ (ai,n + n) . . . (afc,rfc + n) 

\ n > 1, n < T2 < ■ ■ ■ < Tk < Tl + 1} 

is accepted by an ITA_ with k + 1 clocks. Fig. I16l illustrates the case where fe = 3, with 
all states lazy. We conjecture that M^ cannot be accepted by an ITA with k clocks. 




<?o, 1 



11, (X2 := 0) 




X4, = 1 — X3, a2 
Fig. 16 An interrupt timed automaton for M-^ 




6.3 Closure under complementation and intersection 



Proposition 12 ITL is not closed under complementation. 

Proof We prove that the complement L5 of Z/5 belongs to ITL. A timed word belongs 
to Z/| iff one of the following assertions hold: 

1. An a occurs not at a time unit. 

2. An a is missing at some time unit that precedes some letter of the word. 

3. A 6 occurs at a time unit. 

4. There is no b in an interval [i, i + 1] with an a at time i £ N. 

5. There are two fos in an interval [i, i + 1] with an a at time i G N. 

6. There is an occurrence of abab such that the time difference between the two first 
occurrences is smaller than or equal to the time difference between the two last 
occurrences. 

Since ITL is trivially closed under union, it is enough to prove that each assertion from 
the set above can be expressed by an ITA. The five first assertions are straightforwardly 
modeled by an ITA with a single clock (and e-transitions) and we present in Fig. \T7\ 
an ITA with two clocks corresponding to the last one. D 
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a, b 





a, X2 -.= / \ XI < X2, b 
92,2 ^^ > 93,2^ ^- J 94,2 



b, X2 := 




a, x\ := 
go , 1 ) *( ?! , 1 




Fig. 17 An ITA for the language defined by assertion 6 

Proposition 13 ITL is not closed under intersection. 

Proof L5 is the intersection of L5 and L5 defined as follows: 

— The words of I/5 are (a, 1)(&, ri) . . . (a, n)(fe, rn), with i < tj < i + 1 for all i, 
l<i<n. 

— The words of L" are (a,r{)(fe, ri) . . . (a, r/()(6, rn), with r^+i — tj < 1 for all i, 
1 < i < n- 1. 

Both languages are accepted by one-clock ITA (which are also one-clock TA). In case 
of L5, (1) the clock is reset at every occurrence of an a; (2) an a must occur when the 
clock is 1 and (3) a single b must occur when the clock is in (0, 1). In case of L5, (1) 
the clock is reset at every occurrence of a b (2) a 6 must occur when the clock is less 
than 1 except for the first b and (3) a single a must occur before every occurrence of a 
6. □ 



7 Combining ITA with CRTA 

In the previous section, we proved that the class of languages defined by ITA and 
CRTA are incomparable. Here we provide a class containing both ITL and CRTL. In 
order to do so, we combine the models of ITA with CRTA. 



7.1 An undecidable product 

The first kind of combination possible is through synchronized product between an 
ITA and a CRTA. However, this turns out to be a too powerful model, since combining 
even a TA with an ITA yields the undecidability of the reachability problem. 

Definition 11 If X = {I],Qx,% ,Fx,polx,X, \x, Ax) is an ITA (propositional vari- 
ables and labeling are omitted) and T = {E, Q7-, Qq , Fj-, Y, Af) is a TA, then IxT = 
{S, Qx X Qr, (<?J, Qo), F,pol, X, Y, A, A) is an ITAxTA where: 

— pol{qx, qq-) = polx{qx) a-nd A(gx, q-x) ~ ^xilx) a-re lifted from the ITA 

— if qx > qx G Ax and qj- — — > q^ G Ax, then 



(<?!, <ir) 



ip/\ip^a^u/\v 



>(to,gr) £-4- 
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2:3 = 2:2 - ^ 



3,L 



2,(7 J *l 2,L 





Fig. 18 Module ^^> J(^i ^') incrementing the value of c when c > d. 

The semantics of an ITAxTA is a transition system over configurations 

|(g,«, w,/3) \q£Q,v eR^,w eR^, 13 e {T,±}| . 

Discrete steps are defined analogously as in ITA (see Definition[5|. In time steps, clocks 
of X evolve as in an ITA and clocks of Y as in a TA. More precisely, a time step of 
duration d > is defined by (q, v, w, /3) — > {q, v' , w' , T) where v'{xx(q)) ~ 'vi^xfq)) + d 
and v'{x) — v{x) for any other clock x £ X, and w'{y) = w{y) + d for y £Y. 

Theorem 7 Reachability is undecidable in the class ITAxTA. 

Proof (Sketch) The proof consists in encoding a two counter machine into an ITAxTA. 
Two classical clocks {j/cj/d} ^iU keep the value of the counters by retaining a value 
1 — ^ to encode n. Three interrupt clocks are used to change the value of the classical 
clocks through appropriate resets. The ITAxTA is defined through basic modules, 
corresponding to the four possible actions (incrementation or decrementation of c or 
d). Each module is itself composed of submodules: the first one compares the value of c 
to the one of d. The other one performs the action, but depends on the order between 
c and d. 

For example, the submodule incrementing c when c > d is depicted in Fig. 1181 
In this module, the valuqj of classical clocks is copied into interrupt clocks, updated 
thanks to linear updates allowed by ITA. the new values are copied into classical 
clocks by resetting them at the appropriate moment. The valuations of clocks during 
an execution of this module are given in Table O 

Note that the policies are used in this product but they could be replaced by 
classical clocks. 

The detailed proof can be found in Appendix iBl 

Other proofs of undecidability for hybrid systems mixing clocks and stopwatches 
have been developed (see for instance |24l Theorem 4.1] for a construction with a 
single stopwatch and 5 clocks). While this construction could have been adapted to 



Or rather the complement to 1 of the value. 
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Table 3 Clock values in the unique run of y4^i[|J(£, £'). Irrelevant values of interrupt clocks 
are greyed. 



our setting, this would have led to an ITAxTA with 5 classical clocks and 2 interrupt 
clocks. 



7.2 A decidable product of ITA and CRTA: ITA+ 

We define another synchronized product between ITA and CRTA, in the spirit of multi- 
level systems, for which reachability is decidable. This class, denoted by ITA , includes 
a set of clocks at an implicit additional level 0, corresponding to a basic task described 
as in a CRTA. In the definition below, since no confusion can occur, we aggregate the 
coloring function of CRTA and the level function of ITA, into a single function A. 

Definition 12 (ITA ) An extended interrupt timed automaton is a tuple A — (Q, goi 
F,pol, X \*^Y, S, Q, A, up, low, vel. A), where: 

— Q is a finite set of states, go is the initial state and F C Q is the set of final states. 

— pal : Q 1-^ {!/, U, D} is the timing policy of states. 

— X = {xi, . . . , Xn} consists of n interrupt clocks and F is a set of basic clocks, 

— E IS a. finite alphabet, 

— i7 is a set of colors, the mapping A : Q\iiY 1— > {l,...,n}Wi7 associates with each 
state its level or its color, with X\(„\ the active clock in state q for A(g) £ N and 
A(j/) € fi for y G K. For every state q G A^ (J7), the policy is pol{q) = L. 

— up and low are mappings from V to Q with the same constraints as CRTA (see 
Definition m, and vel : Q h-> Q is the clock rate with X{q) ^ O =;■ vel{q) = 1 

— A C Q X [C{X UY) X {SU {e}) x U{X U Y)] x Q is the set of transitions. Let 
q > q m Zl be a transition. 

1. The guard <p is of the form ipi A ip2 with the following conditions. If X{q) G N, 
ifii is an ITA guard on X and otherwise ipi — true. Constraint ^2 is a CRTA 
guard on Y (also possibly equal to true). 
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2. The update u is of the form ui A 1*2 fuUfilhng the following conditions. Assign- 
ments from ui update the clocks in X with the constraints of ITA when A(g) 
and A(g') belong to N. Otherwise it is a global reset of clocks in X. Assignments 
from M2 update clocks from Y , like in CRTA. 

Any ITA can be viewed as an ITA"*" with Y empty and \{Q) C {1, . . . , n}, and any 
CRTA can be viewed as an ITA with X empty and \{Q) C Q. Class ITA combines 
both models in the following sense. When the current state q is such that A(g) G n, the 
ITA part is inactive. Otherwise, it behaves as an ITA but with additional constraints 
about clocks of the CRTA involved by the extended guards and updates. The semantics 
of ITA is defined as usual but now takes into account the velocity of CRTA clocks. 

Definition 13 (Semantics of ITA ) The semantics of an automaton A in ITA 
is defined by the transition system Tj^ = (S, sp,^-). The set S of configurations is 

\ il^'") I 9 £ Qi f' £ K , /3 € {T, ±} \, with initial configuration (go,0,_L). An ac- 

cepting configuration of 7^4 is a pair (g, v) with q in F. The relation — >■ on S consists 
of time steps and discrete steps, the definition of the latter being the same as before: 
Time steps: Only the active clocks in a state can evolve, all other clocks are suspended. 
For a state q with \[q) G N (the active clock is x-^i„\), a time step of duration d > 

is defined by {q,v,l3) — !■ {q,v',T) with v'{x)^iij\) — v{x^g\) + d and v'{x) — v{x) 
for any other clock x. For a state q with X{q) £ fi (the active clocks are Y' = 

Y n A^ (A(g))), a time step of duration d > is defined by {q,v,j3) — > (g, u',T) 
with v {y) = v{y) +vel{q)d for y £Y' and v'{x) — v{x) for any other clock x. In all 
states, time steps of duration d = leave the system 7^4 in the same configuration. 
When pol(q) = U , only time steps of duration q are allowed. 
Discrete steps: A discrete step {q,v) — > {q',v') occurs if there exists a transition 
q — '—^ q in A such that v \= i{) and v = v\u\. When pol{q) = D and j3 — J-, 
discrete steps are forbidden. 

In order to illustrate the interest of the combined models, an example of a (simple) 
login procedure is described in Fig. [19] as a TA with interruptions at a single level. 

First it immediately displays a prompt and arms a time-out of 1 t.u. handled by 
clock y (transition init -^ wait). Then either the user answers correctly within this 

ok 

delay (transition wait — > log) or he answers incorrectly or let time elapse, both cases 
with transition wait — >■ init, and the system prompts again. The whole process is 
controlled by a global time-out of 6 t.u. (transition wait — > out) followed by a long 
suspension (50 t.u.) before reinitializing the process (transition out — > init). Both 
delays are handled by clock z. At any time during the process (in fact in state wait), 
a system interrupt may occur (transition wait -^ I), li the time spent (measured by 
clock xi) during the interrupt is less than 3 t.u. or the time already spent by the user is 

less than 3 t.u., the login process resumes (transition / > init). Otherwise the login 

process is reinitialized allowing again the 6 t.u. (transition I — > init). In both cases, 
the prompt will be displayed again. Since invariants are irrelevant for the reachability 
problem we did not include them in the models. Of course, in this example state wait 
should have invariant y < 1 /\ z < 6 and state out should have invariant z < 50. 

We extend the decidability and complexity results of the previous models when 
combining them with CRTA. Class ITA_ is obtained in a similar way by combining 
ITA- with CRTA. 
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z — 50, rs, y :— 0, z :— Q 




x\ > 3 A 2 > 3, rs, y ;— 0, 2 :— 
Fig. 19 An automaton for login in ITA+ 

Proposition 14 1. The reachability problem for ITA^ is decidable in NEXPTIME 

and is PSPACE-compfeie when the number of interrupt clocks is fixed. 
2. The reachability problem for ITA+ is decidable in NEXPTIME and is PSPACE- 
com,plete when the number of interrupt clocks is fixed. 

Proof 

Case of ITAt- Let A = {Q,qQ, F,pol, XwY, E, SI, X,up,low,vel, A) be an ITAt, with 
n = \X\ the number of ITA clocks, p = |F| the number of CRTA clocks and E = \A\ 
the number of transitions. 

We first consider the reachability problem for two states qi and qf on the CRTA 
level (with A(gi) G O and A(gf) G O). The procedure consists in performing a non 
deterministic search along an elementary path where the vertices are graph classes of 
the CRTA. Let {q, Z) be the current class, the procedure chooses non deterministically 
the next class [q' , Z') and checks that there exists a configuration of (g, Z) and an 
execution only through states q" with A(g") G N that leads to a configuration of 
{q',Z'). This is solved as previously by non deterministically choosing an execution 
path, building a linear program related to the path (of exponential size) and solving 
it. Let us prove that such a path can be chosen whose length is in 0{p{E + 2n) ). 

Assume that there is a run n from {q,v) £ {q,Z) to some configuration {q',v') £ 
{q',Z') such that all intermediate states q" are such that A(g") G N. We say that a 
transition e of tt usefully resets a clock y G F if it is the first transition of n that resets 
y. Observe that there are at most p useful resetting transitions and that between two 
such successive transitions (or before the first one or after the last one) the value of 
the clocks of Y are unchanged when transitions are fired. 

We consider a subrun p between two such successive transitions (or before the first 
one or after the last one) from {qi,vi) to {q2,V2), with m^ the number of transitions 
of level k. 

Using LemmaO we build a subrun p' from (gi, ui) to {q2;V2) of length smaller than 
{E + 2n) . Concatenating the subruns, the useful resetting transitions and the initial 
transition, one obtains a run tt' from {q,v) to {q',v') of length in 0{p{E + 2n) ). 

The key point ensuring correctness of the procedure is that the existence of a 
solution depends only on the starting class (q, Z) and not on the configuration inside 
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this class. This is due to the separation of guards and updates between the two kinds 
of clocks on the transitions. 

When state (jtj (resp. qr) is not at the basis level, the procedure adds an initial 
(resp. final) guess also checked by a linear program. When the number of clocks is 
fixed the dominant factor is the path search in the class graph and PSPACE hardness 
follows from the result in TA. 

Case of ITA'^ . We transform the ITA part of the automaton in ITA_ via the procedure 
of proposition [3] and apply the procedure for ITA_ . D 

It is also possible to build a class graph for ITA , combining a class graph for ITA 
and a region graph for TA. This yields the regularity of the untimed language of an 
ITA"*", hence the strict inclusion in the languages accepted by a stopwatch automaton. 

Let ITL be the family of timed languages defined by ITA . The class ITL 
syntactically contains ITL U CRTL. We can however have a stronger result: 

Proposition 15 The class ITL+ strictly contains ITLU CRTL. 

Proof Recall ITA A4 of Fig. 1141 whose language L4 is not in CRTL, and let Q4 be its 
set of states. Also recall TA ^5 of Fig. 1151 whose language L5 is not in ITL, with set 
of states Q5. Let A4 ® .45 be the ITA having ^5 at level and A^ at levels 1 and 2. 

Formally, A4 ® .45 has set of states Q4 U Q5, which are all lazy. Interrupt clocks of 
A4 (8) A^ are {xi , X2} (active according to ^4). Its basic clocks are {z, y} of velocity 1. 
Both have the same color as states of Q5. The bounding functions up (resp. low) map 
both z and y to 1 (resp. 0). Transitions of A4 ® A5 are the ones of A4 and ^5, adding 
an unguarded, unlabeled transition from .45 's final state to ^4's initial one. 

.A4 ® A5 accepts timed words which start with an alternation of as and 6s, with 
the b drawing always closer to its preceding a (as in ^5), and then contains only cs 
separated by the same amount of time (as in .44). Since both CRTL and ITL are closed 
under projection, C{A4 ® .45) cannot be accepted by a CRTA nor an ITA. D 



8 Conclusion 

In this paper, we introduced and studied the model of Interrupt Timed Automata. This 
model is useful to represent timed systems with tasks organized over priority levels. 

While ITA fall into the more general class of hybrid systems, the reachability prob- 
lem is proved decidable for this subclass. For ITA, the reachability is in NEXPTIME, 
and PTIME when the number of clocks is fixed by building a class graph. Similar 
constructions yield decidability of the reachability problem on an extension of ITA 
where the lowest priority level can behave as a Controlled Real-Timed Automata. It 
also yields procedure for model checking CTL* formulas and timed CTL formulas con- 
straining only the clocks of the system. Another fragment of interest was identified in 
timed CTL as decidable: the one where the only time constraints concern global earliest 
or latest execution times. On the other hand, model checking the linear time logic SCL 
is proved undecidable on ITA, implying that this is also the case for MITL. 

On the expressiveness point of view, the class ITL is proved incomparable with 
both TL and CRTL, and is neither closed under complementation nor intersection. 
The expressiveness results are summed up in Fig. I2UI where the grey zone represents 
undecidability of the reachability problem. 
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Fig. 20 Expressiveness of several timed formalisms with respect to timed languages. 



Several problems remain open on the class of ITA. First of all, the effect of having 
both (limited) stopwatches and linear expressions in guards is combined in ITA, and it 
is not known which is the cause of the undecidability results presented in this paper. 
For instance, the undecidability of SCL may not hold without the possibility of complex 
updates. More generally, the expressive power of the subclass of ITA restricted with 
rectangular guards (a; + & cxi 0) and only resets {x :— 0) should be investigated. Also, it 
is conjectured that the class of ITA with n + 1 clocks is strictly more expressive than 
the class of ITA with n clocks. Regarding model-checking, the undecidability of full 
TCTL remains to be established. Finally, complexity bounds presented in this paper 
are only upper-bounds, and matching lower-bounds are still missing. 
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A Proof of Theorem [4] 

Let 1/3 be a formula in TCTLJ."' and A an ITA with n levels and E transitions. Like in Section|3] 
the proof relies on the construction of a finite class graph. The main dilTerence is in the 
computation of the n sets of expressions Ei, . . . , En ■ Like before, each set Ej. is initialized 
to {xfejO} and expressions in this set are those which are relevant for comparisons with the 
current clock at level k. In this case, they include not only guards but also comparisons with 
the constraints from the formula. Recall that the sets are computed top down from n to 1, 
using the normalization operation. 

— At level fc, we may assume that expressions in guards of an edge leaving a state are of the 

form oxfe + J2i<k °"i-^i + ^ ™^*^ '^ S i''' !}• W^ ^'^'^ ~ ^i<k °"i-^i — b to Ek- 

— To take into account the constraints of formula i/p, we add the following step: For each 
comparison C txi in i/5, and for each fc, withnorm(C, k) = cti^fe + Xlj^j. aiXi + b [a G {0, 1}), 
we also add expression — X]i<fe o,i^i — b to E^- 

— Then we iterate the following procedure until no new term is added to any Ei for 1 < i < fc. 

1. Let q '^''''"> q' with X{q') > k and A(i3) > A;. If C £ Bfe, then we add C[u] to E^- 

2. Let q '^''''"> q' with \(q') > k and A(ij) < k. For C,C' £ E^, we compute C" = 
norm{C[u] — C'[u], X(q)). If C" = axxM + ^i^x(n) '^i^i + ^ with a £ {0, 1}, then we 
add - Ei<A(q) "-i^i - ^ to ^Hq) ■ 

The proof of termination for this construction is similar to the one in Section [S] 

We now consider the transition system Qji^ whose set of configurations are the classes 
R = (5, {:::fc}i<fe<A(ij))> where 5 is a state and <k is a total preorder over E^- The class 
R describes the set of valuations [R] = {{q,v) \ Vfc < A(g) \f{g,h) g E^, g[v\ < h[v\ iff 
g -^k h}. The set of transitions is defined as in Section [S] The transition system Qj^ is again 
finite and time abstract bisimilar to 7^4. Moreover, the truth value of each comparison C = 
^i>l o,i ■ ^i + bc^O appearing in ip can be set for each class R. Indeed, since for every k, both 

and X]i>i li ■ Xi + b are in the set of expressions Ej., the truth value of C ixi does not 
change inside a class. Therefore, introducing a fresh prepositional variable qc for the constraint 
C IX] 0, each class R can be labelled with a truth value for each qc- Deciding the truth value 
of ip can then be done by a classical CTL model-checking algorithm on Q^. 

The complexity of the procedure is obtained by bounding the number of expressions for 
each level khy {E+ \<p\ + 2)^ '^^, and applying the same reasoning as for proposition [2] 



B Proof of Theorem \7\ 

We build an automaton in ITAxTA which simulates a deterministic two counter machine M 
(as in proof of Theorem [3j|. 

Let Lj^4 be the set of labels of A4. The automaton A^4 = {S, Q, qo, E,pol, X UY, X, A) is 
built to reach its final location Halt if and only if A4 stops. It is defined as follows: 

— E consists of one letter per transition. 

— Q = Lm U (Lai x {*:o}) U (L^ x {fci,fc2,'''i, . . . ,r5} x {>,<}), go = ^0 (the initial 
instruction of M) and F = {Halt}. 

— pol : Q — > {Urgent, Lazy, Delayed} is such that pol{q) = Urgent iff either q G Lj^ or 
q = (€, g2,ix), and pol{q) = Lazy in most other cases: some states {l,ki,\><t) are Delayed, 
as shown on Fig. l21l and l22l 

— X = {a;i,X2,X3} is the set of interrupt clocks and Y = {yc,yd} is the set of standard 
clocks with rate 1. 

— A : Q — >■ {1, 2, 3} is the interrupt level of each state. All states in Ljvi and L^ X {fcoi ki, ^2} 
are at level 1; so do all states corresponding to ri. States corresponding to r2 and rg are 
in level 2, while the ones corresponding to 7*4 and rs are in level 3. 

— /A is defined through basic modules in the sequel. 

The transitions of Am are built within small modules, each one corresponding to one 
instruction of M. The value n of c (resp. p of d) in a state of Lj^4 is encoded by the value 
1 - 2^ of clock j/c (resp. 1 - ^ of j/^)- 

The idea behind this construction is that for any standard clock y, it is possible to "copy" 
the value of fc — y in an interrupt clock Xi, for some constant k, provided the value of y never 
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Fig. 21 Module taking into account tlie order between tiie values of c and d when incrementing 



exceeds k. To achieve this, we start and reset the interrupt clock, then stop it when y = k. 
Note that by the end of the copy, the value of y has changed. Conversely, in order to copy the 
content of an interrupt clock Xi into a clock y, we switch from level i to level i + 1 and reset y 
at the same time. When Xi^i = Xi, the value of y is equal to the value of Xi. Remark that the 
form of the guards on Xi^i allows us to copy the value of a linear expression on {xi, . . . , Xi} 
in y. 

For instance, consider an instruction labeled by £ incrementing c then going to i' , with 
the respective values n of c and p of d, from a configuration where n > p. The corresponding 
module yt^JJ(£, £') is depicted on Fig. 1181 (see main text). In this module, interrupt clock xi 

is used to record the value ^ while X2 keeps the value ^. Assuming that yc = 1 — jTTi 
yd = ^ ~ 2P ^'^'^ ^1 = in state (£,ri, >), the unique run in A'^i.'^{i,i') will end in state £' 
with yc = 1 — r,„-f-i and J/d = 1 — jF- ^^^ intermediate clock values are shown in Table [3] (see 
main text). 

The module on Fig. 1181 can be adapted for the case of decrementing c by just changing 
the linear expressions in guards for X3, provided that the final value of c is still greater than 
the one of d. It is however also quite easy to adapt the same module when n < p: in that 
case we store -^ in xi and ^ in X2, since y^ will reach 1 before yc- We also need to start y^ 
before yc when copying the adequate values in the clocks. The case of decrementing c while 
n < p is handled similarly. In order to choose which modulo to use according to the ordering 
between the values of the counters, we use the modules of Fig. 1211 and 1221 Fig. 121 1 represents 
the case when at label £ we have an increment of c whereas Fig. 1221 represents the case when 
i corresponds to decrementing c. In that last case the value of c is compared not only to the 
one of d, but also to 0, in order to know which branch of the if instruction is taken. Note that 
only one of the branches can be taken until the encQ. Instructions involving d are handled in 
a symmetrical way. 

Automaton A.j^ is obtained by joining the modules described above through the states 
of L^ . Let us prove that automaton Am simulates the two counter machine M , so that M 
halts iff Am reaches the Halt state. 

Let (£0, 0, 0)(£i,ni,pi) . . . (£i,ni,pi) . . . be a run of jVf. Wo show that this run is simulated 
in Aj\4 by the run (^Oi 0)po('l, ''i)pi . ■ . where pi is either empty or a subrun through states 
in {{£i,rj,txl)\j e {1, . . . , 5}, MG {>,<}} (i.e. subruns in modules like ^^>^ of Fig. [TSt. 
Moreover, it will be the case that 

Vi, Myc) = 'i--— and Vi{ya) = 1 - — 

This holds at the beginning of the execution of Am ■ Suppose that we have simulated the subrun 
up to {£i,ni,pi). Then we are in state £i, with clock yc being 1 — ^i^- and y^ being 1 — ■^^■ 
The next configuration of A^, (£i^i,ni^i,pi^i), depends on the content of instruction li, and 
so does the outgoing transitions of state £i in Ami ■ We consider the case where £i decrements c 



State policies are used to treat the special cases, e.g. yc = yd = 0- 
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Fig. 22 Module taking into account tlie order between tlie values of c and d when decrementing 



and goes to £' if c is greater than and goes to £" otherwise, the other ones being similar. We 
are therefore in the case of Fig. 1221 If n^ = 0, the next configuration of M will be {£" ,ni,pi). 
Conversely, in A^Mj if »ii = then yc = 0, and there is no choice but to enter £", leaving 
all clock values unchanged (because £i is an Urgent state). The configuration of Aj^ thus 
satisfies the property. If n^ > 0, the next configuration of M will be (£' ,ni — l,Pi). In Am^ 
the transition chosen is the one that corresponds to the ordering between n; and pi. In both 
cases, similarly to the example of A'^'^^ (£,£'), the run reaches state £' with j/c = 1 — _i 
and y^ as before, thus preserving the property. Hence M halts iff Aj^ reaches the Halt state. 
The automaton Aj\4 is indeed the product of an ITA X and a TA T, synchronized on 
actions. Observe that in all the modules described above, guards never mix a standard clock 
with an interrupt one. Since each transition has a unique label, keeping only guards and resets 
on either the clocks of X or on those of Y yields an ITA and a TA whose product is Am ■ □ 



